Skip to main content

Overview

Control Plane enables workloads to access native services from AWS, Azure, and GCP in a least-privilege manner, regardless of where the workloads run. Developers do not need to embed credentials to access services such as S3, DynamoDB, and BigQuery. This capability is optional. This feature simplifies credential management by allowing workloads to obtain temporary credentials dynamically instead of relying on embedded secrets. Cloud providers refer to this as “temporary session credentials.” For more information, see AWS temporary security credentials. To grant a workload fine-grained access to cloud resources, complete the following steps:
  • Register a cloud account with Control Plane for each cloud provider (AWS, Azure, or GCP) that hosts the resources your workload requires.
  • Create an identity and assign the desired cloud access permissions to resources within each registered cloud account.
  • Assign the identity to a workload. Each workload can have only one assigned identity. Identities can be reused by multiple workloads in the same GVC that require the same permissions.
Control Plane must be able to perform the following actions to provision and revoke an identity’s access to native cloud services:
  • Create Roles in AWS
  • Create App registrations in Azure
  • Create Service Accounts in GCP
For additional detail, refer to the cloud account reference page for each cloud provider: