> ## Documentation Index
> Fetch the complete documentation index at: https://docs.controlplane.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Accessing Cloud Resources

> Access AWS, GCP, and Azure services from workloads without embedding credentials. Uses cloud accounts and identities for secure, credential-free access.

## Overview

Control Plane enables [workloads](/reference/workload) to access native services from AWS, Azure, and GCP in a least-privilege manner, regardless of where the workloads run. Developers do not need to embed credentials to access services such as S3, DynamoDB, and BigQuery.

This capability is **optional**.

This feature simplifies credential management by allowing workloads to obtain temporary credentials dynamically instead of relying on embedded secrets. Cloud providers refer to this as "temporary session credentials." For more information, see [AWS temporary security credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html).

To grant a [workload](/reference/workload) fine-grained access to cloud resources, complete the following steps:

* Register a [cloud account](/reference/cloudaccount) with Control Plane for each cloud provider (AWS, Azure, or GCP) that hosts the resources your workload requires.
* Create an [identity](/reference/identity) and assign the desired [cloud access](/guides/create-identity#cloud-access) permissions to resources within each registered [cloud account](/reference/cloudaccount).
* Assign the [identity](/reference/identity) to a [workload](/reference/workload). Each workload can have only one assigned identity. [Identities](/reference/identity) can be reused by multiple workloads in the same GVC that require the same permissions.

Control Plane must be able to perform the following actions to provision and revoke an [identity's](/reference/identity) access to native cloud services:

* Create `Roles` in AWS
* Create `App registrations` in Azure
* Create `Service Accounts` in GCP

For additional detail, refer to the [cloud account](/reference/cloudaccount) reference page for each cloud provider:

* [AWS](/reference/cloudaccount#aws-details)
* [Azure](/reference/cloudaccount#azure-details)
* [GCP](/reference/cloudaccount#gcp-details)
