Create an Identity - Control Plane

Overview

Follow the steps below to create an identity within your GVC.

Prerequisites

Review the identity reference page.
Have permissions to create an identity.
Optional: Install the CLI.

Create using the Console

Create a new identity using one of the following methods:
- Click Identities in the left menu, then click New, or
- Click the Create dropdown in the upper right corner and select Identity.
Enter a unique name, an optional description, and select the GVC where the identity will be created.
Under Cloud Access, select the cloud provider (AWS, Azure, GCP, or NGS) to configure a cloud access rule.
- Requires at least one cloud account for the chosen provider to be defined.
- Depending on the use case of this identity, creating a cloud access rule is optional.
- See Cloud Access for additional details.
Under Cloud Wormhole, configure private network connectivity.
- Select FQDN Resources and click Add FQDN to add resources by domain name.
- Select IP Resources and click Add IP to add resources by IP address.
- Depending on the use case of this identity, creating a cloud wormhole is optional.
- See Cloud Wormhole for additional details.
Under Native Networking, configure cloud-native private connectivity.
- Select AWS PrivateLink and click Add AWS Resource to configure an AWS PrivateLink endpoint.
- Select GCP Service Connect and click Add GCP Resource to configure a GCP Private Service Connect endpoint.
- Depending on the use case of this identity, creating a native networking rule is optional.
- See Native Networking for details.
Optionally, click Tags and enter any tags.
Click Create to create the identity. The identity info page is then shown.

This identity is now available for use in the workload identity setting.

Cloud Access

The cloud access portion of an identity defines cloud resource access rules across one account in each of AWS, Azure, GCP, and NGS. In other words, you can create an identity that allows access to several resources in a particular AWS account and a particular Azure account, but not in two separate Azure accounts. When defining the rule for a particular cloud provider, Control Plane creates and manages (using the registered cloud account) the following object at each cloud provider which acts as a “synthetic identity”:

AWS
- Role
Azure
- App registration
GCP
- Service Account

The minimum set of permissions required by the workload to call the target cloud resources should be assigned to the cloud access rule. When workloads call the cloud resource, they call the services by impersonating the “synthetic identity”. This “synthetic identity” will only have the permissions that were assigned to it. Having multiple cloud providers configured on an identity using cloud access rules grants the workload the ability to call cloud resources at any cloud provider seamlessly and transparently regardless of where it is running. Below are instructions on how to set up cloud access rules using the console for:

AWS
Azure
GCP
NGS

AWS

To set up an AWS cloud access rule, select AWS under Cloud Access.

Click the Configure button.
Select one of the registered AWS cloud accounts.
Select one of the following methods:
- Use an Existing AWS Role:
  - A list of roles is shown. Select a role from the list and verify that the role name is correct.
- Select Existing AWS Policies:
  - A list of available policies is shown. Select at least one policy from the list.

Verify that the roles or policies selected are correct and click Create. If a new AWS role was selected, Control Plane will provision a new role in AWS that will be named the same as the Object Name shown in the Info page of the identity.

Azure

To set up an Azure cloud access rule, select Azure under Cloud Access in the left pane.

Click the Configure button.
Select one of the registered Azure cloud accounts.
Click Add Role Assignment to construct the role assignments:
- Click the Browse button next to Scope to show the scope selection wizard. Choose the service, region, type, and item. Click Confirm.
- Click the Browse button next to Roles to show the list of available roles for the selected scope. Select one or more roles. Click Confirm.
- If additional role assignments are needed, click Add Role Assignment and repeat the first two steps.

Verify that the roles selected are correct and click Create. Control Plane will provision a new App registration in Azure that will be named the same as the Object Name shown in the Info page of the identity.

GCP

To set up a GCP cloud access rule, select GCP under Cloud Access in the left pane.

Click the Configure button.
Select one of the registered GCP cloud accounts.
Select one of the following methods:
- Use an Existing GCP Service Account:
  - A list of service accounts is shown. Verify that the service account name is correct.
- Configure Service Account Bindings:
  - Click Add Binding to construct a new binding:
    - Click the Browse button next to Resource to show the resource selection wizard. Choose the service, region, type, and item. Click Confirm.
    - Click the Browse button next to Roles to show the list of available roles for the selected resource. Select one or more roles. Click Confirm.
      - To manually add a role, click the Add button and enter the role name in the empty textbox.
      - Click Add.
    - If additional bindings are needed, click Add Binding. Repeat the first two bullets.

Verify that the roles selected are correct and click Create. If a new service account was selected, Control Plane will provision the new service account in GCP that will be named the same as the Object Name shown in the Info page of the identity.

NGS

Documentation coming soon.

Cloud Wormhole

The cloud wormhole portion of an identity defines network traversal rules from workloads to specific endpoints in private networks (e.g., a VPC). Tunneling network traffic from workloads to specific TCP hosts and ports is facilitated using agents deployed within the private network. Under Cloud Wormhole in the left pane, choose the resource type:

FQDN Resources

Select FQDN Resources and click Add FQDN to add a resource by domain name.

Enter the Fully Qualified Domain Name (FQDN) of the internal resource.
Enter a unique name for this resource.
Select a registered agent matching the environment you want to access.
Optionally, enter the internal IP address that the FQDN will resolve to.
Under Ports, click the Add button and enter at least one port that the resource exposes.
Click Add.

Verify that the FQDN resources are correct and click Create.

The internal resource can be called by the workload using either the FQDN or the name entered in step 2. If the internal resource is configured with TLS, the FQDN must be used.

IP Resources

Select IP Resources and click Add IP to add a resource by IP address.

Enter a unique name for this resource.
This name will be the hostname your workload will use when calling this resource.
Select a registered agent matching the environment you want to access.
Under IPs, click Add and enter at least one IP address.
Under Ports, click Add and enter at least one port.
Click Add.

A maximum of 5 ports can be added per resource.

Verify that the IP resources are correct and click Create.

Native Networking

Refer to the Native Networking Setup guide for details.

Create using the CLI

Refer to the identity create command for details and examples.

​Overview

​Prerequisites

​Create using the Console

​Cloud Access

​AWS

​Azure

​GCP

​NGS

​Cloud Wormhole

​FQDN Resources

​IP Resources

​Native Networking

​Create using the CLI

Overview

Prerequisites

Create using the Console

Cloud Access

AWS

Azure

GCP

NGS

Cloud Wormhole

FQDN Resources

IP Resources

Native Networking

Create using the CLI