Overview

Follow the steps below to create an identity within your GVC.

Prerequisites

Create using the UI Console

Follow the steps below to create an identity (requires a GVC):

  1. Create a new identity using one of the following methods:
    • Clicking Identities in the left menu and click New, or
    • Click the Create dropdown in the upper right corner and select Identity.
  2. Enter a unique name and optional description. Click Next (Cloud Access).
  3. Select one of the cloud providers and follow the wizard to configure a cloud access rule. The wizard requires at least one cloud account for the chosen provider to be defined. Depending on the use case of this identity, creating a cloud access definition is optional. See Cloud Access for additional details. Click Next (Network Resources).
  4. Click Add Network Resource and follow the wizard to configure a network resource. The wizard requires at least one agent to exist. Each identity can have multiple network resources defined. Depending on the use case of this identity, creating a network resource is optional. See Network Resource for additional details. Click Next (Tags).
  5. Enter any optional tags. Click Create.
  6. The identity has been successfully created and the identity info page will be shown. This identity will now be available for use within your workload’s identity setting.

Cloud Access

The cloud access portion of an identity defines cloud resource access rules across one account in each of AWS, GCP and Azure. In other words, you can create an identity that allows access to several resources in a particular AWS account and a particular Azure account, but not in two separate Azure accounts.

When defining the policy for a particular cloud provider, Control Plane creates and manages (using the registered cloud account) the following object at each cloud provider which acts as a “synthetic identity”:

  • AWS
    • Role
  • Azure
    • App registration
  • GCP
    • Service Account

The minimum set of permissions required by the workload to call the target cloud resources should be assigned to the cloud access policy.

When workloads call the cloud resource, they call the services by impersonating the “synthetic identity”. This “synthetic identity” will only have the permission that were assigned to it.

Having multiple cloud providers configured on an identity using cloud access rules grants the workload the ability to call cloud resources at any cloud provider seamlessly and transparently regardless of where it running.

Below are instructions on how to set up cloud access rules using the console for:

AWS

To set up an AWS cloud access policy using the console, click on the AWS icon and the wizard modal will appear.

  1. Select one of the registered AWS cloud accounts

  2. Select one of the following methods and click Next:

    • Reuse an existing AWS role:
      • A list of roles will be shown.
      • Either select a role from the list or click the Edit Manually button and enter a role name. Click Confirm Manual Input when done.
      • Verify the role name is correct and click Done.
    • Configure a new AWS role with existing policies:
      • A list of available policies will be shown.
      • The policy list can be created by:
        • Selecting at least one role from the list, or
        • Click the Set Policies Manually button and manually enter the policy name and click Add. Multiple policies can be added manually. Click Set Policies From List to return to the existing policies list.
        • Click Done.

After setting up the AWS cloud access rule, a summary of the selections will be shown. Verify that the policies selected are correct and at the bottom of the page, click Save. If a new AWS role was selected, Control Plane will provision a new role in AWS that will be named the same as the Object Name shown in the Info page of the identity.

Azure

To set up an Azure cloud access policy using the console, click on the Azure icon and the wizard modal will appear.

  1. Select one of the registered Azure cloud accounts.
  2. Click Next.
  3. Construct the role assignments:
    • Click Select Scope to show the scope selection wizard. Choose the service, region, type, and scope. Click Confirm.
    • Click Select Roles to show the list of available roles for the selected scope. Select one or more roles. Click Confirm.
    • If additional role assignments are needed, click Add Assignment at the top of the modal. Repeat the first two steps.
    • Click Done.

After setting up the Azure cloud access policy, a summary of the selections will be shown. Verify that the roles selected are correct and at the bottom of the page, click Save. Control Plane will provision a new App registration in Azure that will be named the same as the Object Name shown in the Info page of the identity.

GCP

To set up a GCP cloud access policy using the console, click on the GCP icon and the wizard modal will appear.

  1. Select one of the registered GCP cloud accounts

  2. Select one of the following methods and click Next:

    • Reuse an existing GCP service account:
      • A list of service accounts will be shown.
      • Either select a service account from the list or click the Edit Manually button and enter a service account name. Click Confirm Manual Input when done.
      • Verify the service account name is correct and click Done.
    • Configure a new GCP service account:
      • Construct a new binding:
        • Click Select Resource to show the resource selection wizard. Choose the service, region, type, and resource. Click Confirm.
        • Click Select Roles to show the list of available roles for the selected resource. Select one or more roles. Click Confirm.
        • If additional bindings are needed, click Add Binding at the top of the modal. Repeat the first two steps.
        • Click Done

After setting up the GCP cloud access policy, a summary of the selections will be shown. Verify that the roles selected are correct and at the bottom of the page, click Save. If a new service account was selected, Control Plane will provision the new Service Account in GCP that will be named the same as the Object Name shown in the Info page of the identity.

Network Resource

The network resource portion of an identity defines network traversal rules from workloads into specific endpoints in private networks (e.g., a VPC).

Tunneling network traffic from workloads to specific TCP hosts and ports is facilitated using agents deployed within the private network. This capability is referred to as “wormholes”.

To set up a new network resource, click the Network Resources link and click Add Network Resource.

  1. Select a registered agent matching the environment you’d like to access.

  2. Enter a unique name for this resource.

    This name will be the hostname your workload will use when calling this resource.

  3. Choose one of the following resource discovery methods:

    • Fully Qualified Domain Name (FQDN):

      • Enter the FQDN of the internal resource.
      • Optionally, enter the internal IP address that the above FQDN will resolve to.
      • Enter at least one port that the resource exposes.

      When selecting FQDN, the internal resource can be called by the workload using either the FQDN or the name entered in step 2. If the internal resource is configured with TLS, the FQDN must be used.

    • IP:

      • Enter at least one IP address.
      • Enter at least one port.

      When selecting IP, the internal resource is called by the workload using the name entered in step 2.

A maximum of 5 ports can be added.
  1. If additional resources are needed, click the Add Network Resource button again and repeat the steps above.
  2. After setting up the necessary resources, verify that they are correct and at the bottom of the page, click Save.

Create using the CLI

Refer to the identity create command for details and examples on how to create an identity using the CLI.