Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.controlplane.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Follow the steps below to create an identity within your GVC.

Prerequisites

Create using the UI Console

Follow the steps below to create an identity (requires a GVC):
  1. Create a new identity using one of the following methods:
    • Clicking Identities in the left menu and click New, or
    • Click the Create dropdown in the upper right corner and select Identity.
  2. Enter a unique name and optional description.
  3. Under Cloud Access in the left pane, select the cloud provider (AWS, Azure, GCP, or NATS) to configure a cloud access rule. Requires at least one cloud account for the chosen provider. This step is optional. See Cloud Access for details.
  4. Under Cloud Wormhole in the left pane, configure private network connectivity. This step is optional. See Network Resource for details.
    • Select FQDN Resources and click Add FQDN to add resources by domain name.
    • Select IP Resources and click Add IP to add resources by IP address.
  5. Under Native Networking in the left pane, configure cloud-native private connectivity. This step is optional. See Native Networking for details.
    • Select AWS PrivateLink and click Add AWS Resource to configure an AWS PrivateLink endpoint.
    • Select GCP Service Connect and click Add GCP Resource to configure a GCP Private Service Connect endpoint.
  6. Optionally, select Tags from the left pane to add tags.
  7. Click Create.
  8. The identity has been successfully created and the identity info page will be shown. This identity will now be available for use within your workload’s identity setting.

Cloud Access

The cloud access portion of an identity defines cloud resource access rules across one account in each of AWS, GCP and Azure. In other words, you can create an identity that allows access to several resources in a particular AWS account and a particular Azure account, but not in two separate Azure accounts. When defining the policy for a particular cloud provider, Control Plane creates and manages (using the registered cloud account) the following object at each cloud provider which acts as a “synthetic identity”:
  • AWS
    • Role
  • Azure
    • App registration
  • GCP
    • Service Account
The minimum set of permissions required by the workload to call the target cloud resources should be assigned to the cloud access policy. When workloads call the cloud resource, they call the services by impersonating the “synthetic identity”. This “synthetic identity” will only have the permissions that were assigned to it. Having multiple cloud providers configured on an identity using cloud access rules grants the workload the ability to call cloud resources at any cloud provider seamlessly and transparently regardless of where it running. Below are instructions on how to set up cloud access rules using the console for:

AWS

To set up an AWS cloud access policy, select AWS under Cloud Access in the left pane.
  1. Select one of the registered AWS cloud accounts
  2. Select one of the following methods and click Next:
    • Reuse an existing AWS role:
      • A list of roles will be shown.
      • Either select a role from the list or click the Edit Manually button and enter a role name. Click Confirm Manual Input when done.
      • Verify the role name is correct and click Done.
    • Configure a new AWS role with existing policies:
      • A list of available policies will be shown.
      • The policy list can be created by:
        • Selecting at least one role from the list, or
        • Click the Set Policies Manually button and manually enter the policy name and click Add. Multiple policies can be added manually. Click Set Policies From List to return to the existing policies list.
        • Click Done.
After setting up the AWS cloud access rule, a summary of the selections will be shown. Verify that the policies selected are correct and at the bottom of the page, click Save. If a new AWS role was selected, Control Plane will provision a new role in AWS that will be named the same as the Object Name shown in the Info page of the identity.

Azure

To set up an Azure cloud access policy, select Azure under Cloud Access in the left pane.
  1. Select one of the registered Azure cloud accounts.
  2. Click Next.
  3. Construct the role assignments:
    • Click Select Scope to show the scope selection wizard. Choose the service, region, type, and scope. Click Confirm.
    • Click Select Roles to show the list of available roles for the selected scope. Select one or more roles. Click Confirm.
    • If additional role assignments are needed, click Add Assignment at the top of the modal. Repeat the first two steps.
    • Click Done.
After setting up the Azure cloud access policy, a summary of the selections will be shown. Verify that the roles selected are correct and at the bottom of the page, click Save. Control Plane will provision a new App registration in Azure that will be named the same as the Object Name shown in the Info page of the identity.

GCP

To set up a GCP cloud access policy, select GCP under Cloud Access in the left pane.
  1. Select one of the registered GCP cloud accounts
  2. Select one of the following methods and click Next:
    • Reuse an existing GCP service account:
      • A list of service accounts will be shown.
      • Either select a service account from the list or click the Edit Manually button and enter a service account name. Click Confirm Manual Input when done.
      • Verify the service account name is correct and click Done.
    • Configure a new GCP service account:
      • Construct a new binding:
        • Click Select Resource to show the resource selection wizard. Choose the service, region, type, and resource. Click Confirm.
        • Click Select Roles to show the list of available roles for the selected resource. Select one or more roles. Click Confirm.
        • If additional bindings are needed, click Add Binding at the top of the modal. Repeat the first two steps.
        • Click Done
After setting up the GCP cloud access policy, a summary of the selections will be shown. Verify that the roles selected are correct and at the bottom of the page, click Save. If a new service account was selected, Control Plane will provision the new Service Account in GCP that will be named the same as the Object Name shown in the Info page of the identity.

Network Resource

The network resource portion of an identity defines network traversal rules from workloads into specific endpoints in private networks (e.g., a VPC). Tunneling network traffic from workloads to specific TCP hosts and ports is facilitated using agents deployed within the private network. This capability is referred to as “Cloud Wormhole”. Under Cloud Wormhole in the left pane, choose the resource type:

FQDN Resources

Select FQDN Resources and click Add FQDN to add a resource by domain name.
  1. Select a registered agent matching the environment you’d like to access.
  2. Enter a unique name for this resource.
    This name will be the hostname your workload will use when calling this resource.
  3. Enter the FQDN of the internal resource.
  4. Optionally, enter the internal IP address that the FQDN will resolve to.
  5. Enter at least one port that the resource exposes.
The internal resource can be called by the workload using either the FQDN or the name entered in step 2. If the internal resource is configured with TLS, the FQDN must be used.

IP Resources

Select IP Resources and click Add IP to add a resource by IP address.
  1. Select a registered agent matching the environment you’d like to access.
  2. Enter a unique name for this resource.
    This name will be the hostname your workload will use when calling this resource.
  3. Enter at least one IP address.
  4. Enter at least one port.
A maximum of 5 ports can be added per resource.
After setting up the necessary resources, verify that they are correct and click Create.

Create using the CLI

Refer to the identity create command for details and examples on how to create an identity using the CLI.