Accessing Cloud Resources
Overview
The Control Plane platform enables your workloads, regardless of the cloud provider and location it is running at, to consume native services from different cloud providers in a least-privilege manner, without requiring developers to embed credentials to consume those services (e.g., S3, Dynamo, Big Query, etc.).
This capability is optional.
It is provided to alleviate the many facets of credential management. By leveraging this capability, the running of workloads is more straightforward. This approach is utilized by cloud providers who term it “temporary session credentials”. See this link to review how AWS uses temporary credentials.
Customers choosing to define fine-grained access that allows a workload to access cloud resources must perform the following:
- Register with Control Plane a cloud account for each cloud provider (AWS, Azure, or GCP) that hosts the resources your workload requires
- Create an identity and assign the desired cloud access to resources within each registered cloud account
- Assign the identity to a workload. Only one identity can be assigned to a particular workload. Identities can be re-used by multiple workloads and have the same set of permissions.
For Control Plane to provision and de-provision the identity's access to consume native cloud services, Control Plane must be able to:
- Create
Rolesin AWS - Create
App registrationsin Azure - Create
Service Accountsin GCP
For additional details on this process, refer to the cloud account reference page for each cloud provider: