> ## Documentation Index
> Fetch the complete documentation index at: https://docs.controlplane.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create an Identity

> Create an identity within a GVC to configure cloud access rules, cloud wormholes, and native networking for your workloads.

## Overview

Follow the steps below to create an [identity](/reference/identity) within your [GVC](/reference/gvc).

## Prerequisites

* Review the [identity](/reference/identity) reference page.
* Have [permissions](/reference/identity#permissions) to create an [identity](/reference/identity).
* Optional: Install the [CLI](/cli-reference/installation).

## Create using the Console

1. Create a new identity using one of the following methods:
   * Click `Identities` in the left menu, then click `New`, or
   * Click the `Create` dropdown in the upper right corner and select `Identity`.
2. Enter a unique name, an optional description, and select the GVC where the identity will be created.
3. Under `Cloud Access`, select the cloud provider (`AWS`, `Azure`, `GCP`, or `NGS`) to configure a cloud access rule.
   * Requires at least one [cloud account](/reference/cloudaccount) for the chosen provider to be defined.
   * Depending on the use case of this identity, creating a cloud access rule is optional.
   * See [Cloud Access](#cloud-access) for additional details.
4. Under `Cloud Wormhole`, configure private network connectivity.
   * Select `FQDN Resources` and click `Add FQDN` to add resources by domain name.
   * Select `IP Resources` and click `Add IP` to add resources by IP address.
   * Depending on the use case of this identity, creating a cloud wormhole is optional.
   * See [Cloud Wormhole](#cloud-wormhole) for additional details.
5. Under `Native Networking`, configure cloud-native private connectivity.
   * Select `AWS PrivateLink` and click `Add AWS Resource` to configure an AWS PrivateLink endpoint.
   * Select `GCP Service Connect` and click `Add GCP Resource` to configure a GCP Private Service Connect endpoint.
   * Depending on the use case of this identity, creating a native networking rule is optional.
   * See [Native Networking](#native-networking) for details.
6. Optionally, click `Tags` and enter any [tags](/core/misc#tags).
7. Click `Create` to create the identity. The identity info page is then shown.

<Tip>
  This identity is now available for use in the [workload identity](/reference/workload#identity) setting.
</Tip>

## Cloud Access

The cloud access portion of an identity defines cloud resource access rules across one account in each of AWS, Azure, GCP, and NGS. In other words, you can create an identity that allows access to several resources in a particular AWS account and a particular Azure account, but not in two separate Azure accounts.

When defining the rule for a particular cloud provider, Control Plane creates and manages (using the registered [cloud account](/reference/cloudaccount)) the following object at each cloud provider which acts as a "synthetic identity":

* AWS
  * Role
* Azure
  * App registration
* GCP
  * Service Account

The minimum set of permissions required by the [workload](/reference/workload) to call the target cloud resources should be assigned to the cloud access rule.

When [workloads](/reference/workload) call the cloud resource, they call the services by impersonating the **"synthetic identity"**. This **"synthetic identity"** will only have the permissions that were assigned to it.

Having multiple cloud providers configured on an [identity](/reference/identity) using cloud access rules grants the [workload](/reference/workload) the ability to call cloud resources at any cloud provider seamlessly and transparently regardless of where it is running.

Below are instructions on how to set up cloud access rules using the console for:

* [AWS](#aws)
* [Azure](#azure)
* [GCP](#gcp)
* [NGS](#ngs)

### AWS

To set up an AWS cloud access rule, select `AWS` under `Cloud Access`.

1. Click the `Configure` button.
2. Select one of the registered AWS [cloud accounts](/reference/cloudaccount).
3. Select **one** of the following methods:
   * `Use an Existing AWS Role`:
     * A list of roles is shown. Select a role from the list and verify that the role name is correct.
   * `Select Existing AWS Policies`:
     * A list of available policies is shown. Select at least one policy from the list.

Verify that the roles or policies selected are correct and click `Create`. If a new AWS role was selected, Control Plane will provision a new role in AWS that will be named the same as the `Object Name` shown in the `Info` page of the [identity](/reference/identity).

### Azure

To set up an Azure cloud access rule, select `Azure` under `Cloud Access` in the left pane.

1. Click the `Configure` button.
2. Select one of the registered Azure [cloud accounts](/reference/cloudaccount).
3. Click `Add Role Assignment` to construct the role assignments:
   * Click the `Browse` button next to `Scope` to show the scope selection wizard. Choose the service, region, type, and item. Click `Confirm`.
   * Click the `Browse` button next to `Roles` to show the list of available roles for the selected scope. Select one or more roles. Click `Confirm`.
   * If additional role assignments are needed, click `Add Role Assignment` and repeat the first two steps.

Verify that the roles selected are correct and click `Create`. Control Plane will provision a new App registration in Azure that will be named the same as the `Object Name` shown in the `Info` page of the [identity](/reference/identity).

### GCP

To set up a GCP cloud access rule, select `GCP` under `Cloud Access` in the left pane.

1. Click the `Configure` button.
2. Select one of the registered GCP [cloud accounts](/reference/cloudaccount).
3. Select one of the following methods:
   * `Use an Existing GCP Service Account`:
     * A list of service accounts is shown. Verify that the service account name is correct.
   * `Configure Service Account Bindings`:
     * Click `Add Binding` to construct a new binding:
       * Click the `Browse` button next to `Resource` to show the resource selection wizard. Choose the service, region, type, and item. Click `Confirm`.
       * Click the `Browse` button next to `Roles` to show the list of available roles for the selected resource. Select one or more roles. Click `Confirm`.
         * To manually add a role, click the `Add` button and enter the role name in the empty textbox.
         * Click `Add`.
       * If additional bindings are needed, click `Add Binding`. Repeat the first two bullets.

Verify that the roles selected are correct and click `Create`. If a new service account was selected, Control Plane will provision the new service account in GCP that will be named the same as the `Object Name` shown in the `Info` page of the [identity](/reference/identity).

### NGS

Documentation coming soon.

## Cloud Wormhole

The cloud wormhole portion of an [identity](/reference/identity) defines network traversal rules from [workloads](/reference/workload) to specific endpoints in private networks (e.g., a VPC).

Tunneling network traffic from [workloads](/reference/workload) to specific TCP hosts and ports is facilitated using [agents](/reference/agent) deployed within the private network.

Under `Cloud Wormhole` in the left pane, choose the resource type:

### FQDN Resources

Select `FQDN Resources` and click `Add FQDN` to add a resource by domain name.

1. Enter the Fully Qualified Domain Name (FQDN) of the internal resource.
2. Enter a unique `name` for this resource.
3. Select a registered [agent](/reference/agent) matching the environment you want to access.
4. Optionally, enter the internal IP address that the FQDN will resolve to.
5. Under `Ports`, click the `Add` button and enter at least one port that the resource exposes.
6. Click `Add`.

Verify that the FQDN resources are correct and click `Create`.

<Note>
  The internal resource can be called by the workload using either the FQDN or the `name` entered in step 2. If the internal resource is configured with TLS, the FQDN must be used.
</Note>

### IP Resources

Select `IP Resources` and click `Add IP` to add a resource by IP address.

1. Enter a unique `name` for this resource.
   <Note>
     This `name` will be the hostname your [workload](/reference/workload) will use when calling this resource.
   </Note>
2. Select a registered [agent](/reference/agent) matching the environment you want to access.
3. Under `IPs`, click `Add` and enter at least one IP address.
4. Under `Ports`, click `Add` and enter at least one port.
5. Click `Add`.

<Info>
  A maximum of **5** ports can be added per resource.
</Info>

Verify that the IP resources are correct and click `Create`.

## Native Networking

Refer to the [Native Networking Setup](/guides/native-networking/native-networking-setup) guide for details.

## Create using the CLI

Refer to the [identity create](/cli-reference/commands/identity#identity-create) command for details and examples.
