The Control Plane platform enables your workloads, regardless of the cloud provider and location it is running at, to consume native services from different cloud providers in a least-privilege manner, without requiring developers to embed credentials to consume those services (e.g., S3, Dynamo, Big Query, etc.).
This capability is optional.
It is provided to alleviate the many facets of credential management. By leveraging this capability, the running of workloads is more straightforward. This approach is utilized by cloud providers who term it “temporary session credentials”. See this link to review how AWS uses temporary credentials.
Customers choosing to define fine-grained access that allows a workload to access cloud resources must perform the following:
For Control Plane to provision and de-provision the identity's access to consume native cloud services, Control Plane must be able to:
Roles
in AWSApp registrations
in AzureService Accounts
in GCPFor additional details on this process, refer to the cloud account reference page for each cloud provider: