Cloud Accounts

Overview

A cloud account is a mapping between your org and a cloud provider. When creating a cloud account, instructions are provided on how to create a bridge account at the cloud provider with minimum access permissions. This bridge account is used by Control Plane to query and manage the necessary resources at the cloud provider on behalf of your org.

Cloud accounts are scoped to an org and are used in conjunction with identities to set up cloud access rules.

Your workload can then be associated with an identity and will then have the ability to call any of the allowed cloud provider resources transparently without any additional set up.

For example, if your application uses AWS S3 for storage and Azure Cosmos DB for its database, your workload will be able to access both no matter which location the workload is deployed to. The workload calls each resource as if it had a direct connection and the identity will route the request seamlessly to the proper location.

Create a Cloud Account

Refer to the Create a Cloud Account guide for additional details.

AWS Details

  • Cloud Account Creation

    • When registering a cloud account targeting AWS, your AWS administratior will manually create a new AWS role (named cpln-ORG_NAME) with the following policies:
      • Create a new policy named cpln-connector which has the necessary access to create and manage roles.
      • ReadOnlyAccess which "provides read-only access to AWS services and resources".
    • A "trust relationship" is associated with this role that allows the Control Plane AWS account to assume this role.
  • Identity Creation

    • When an identity is created targeting AWS, Control Plane will create a new role in AWS that will have the minimum permissions that are required to access the targeted services. When a workload that is assigned with an identity requests credentials to access AWS services, Control Plane will obtain a temporary access token that impersonates the role and inject it into the workload granting it access.
  • Removing an AWS Cloud Account

    • If you no longer require Control Plane to create identities targeting AWS:
      • Delete all cloud access rules targeting AWS from existing workload identities. This will delete any associated roles.
      • Delete the cloud account.
      • Your AWS administrator will need to remove the cpln-connector policy and the cpln-ORG_NAME role.

Azure Details

When registering a cloud account targeting Azure, you can choose from the following methods:

TIP

During the creation of an Azure cloud account, the Azure CLI generates credentials that are used by Control Plane when connecting to Azure to provision apps or user identities that will be used by workload identities. These credentials are uploaded and stored securely as an Azure-SDK secret or Azure-Connector secret and can be viewed by clicking Secrets from the left menu in the console after creating an Azure cloud account.

Azure SDK

  • Cloud Account Creation
    • When registering a cloud account targeting Azure using the Azure SDK, an Azure Service Principal is created by your Azure administrator using the Azure CLI. The output of the Azure CLI command are credentials that are uploaded, stored securely, and assigned to the cloud account.
    • The name of this service principal is the name of your org prefixed with cpln- (i.e., cpln-ORG_NAME).
    • The only Azure API permission required by this principal is Application.ReadWrite.OwnedBy (which belongs to the Microsoft Graph API).
    • By granting this permission, the cloud account will be able to create/manage App registrations and query available Azure scopes and roles during the creation of an identity.
INFO

The permissions Application.ReadWrite.OwnedBy "allows the app to create other applications, and fully manage those applications (read, update, update application secrets and delete), without a signed-in user. It cannot update any apps that it is not an owner of".

For every identity created, Control Plane creates an App registration for which it generates short-lived credentials and injects them into your workload using the native cloud providers identity interface. No matter which cloud your workload is running, Control Plane ensures that the identity information is conveyed correctly to the consumed services. Control Plane mints tokens for the identity bound to the workloads.

  • Identity Creation

    • When creating an identity, cloud access rules targeting Azure can be defined which specify the minimum access needed by the identity. When the identity is saved in the console, the Azure cloud account will leverage the service principal to create a new App registration with the configured access.
    • Any workload can be configured to use this identity and will have access to the defined resources.
  • Expired / Compromised Credentials

    • If the service principal credentials that were assigned to the cloud account expires or have been compromised, perform the following:

      • From the Azure portal:
        • Click Azure Active Directory and click App registrations in the left menu.
        • Click All applications and then click the app registration named cpln-ORG_NAME.
        • Click Certificates & secrets and then click New client secret and follow the wizard.
        • Copy the value of the new secret to the clipboard.
        • Delete the old secret.
      • From the Control Plane console:
        • Click Secrets in the left menu and select the azure-sdk secret that belongs to the cloud account (it will be named CLOUD_ACCONT_NAME-access).
        • Click the Edit Data button and then click the eye icon.
        • Update the clientSecret property with the value of the new secret by pasting it from the clipboard.
    • Until a valid secret value has been updated, Control Plane will not be able to manage workload identities.

  • Removing an Azure Cloud Account

    • If you no longer require Control Plane to create identities targeting Azure:

      • Delete all cloud access rules targeting Azure from existing workload identities. This will delete any associated app registrations.
      • Delete the cloud account.
      • Delete the azure secret that was mapped to the cloud account (named: CLOUD_ACCOUNT-access).
      • Your Azure administrator will need to delete the Service Principal from Azure by running the following Azure CLI command:
      copy
      az ad sp delete --id http://cpln-ORG_NAME

Azure Connector

  • Cloud Account Creation

    • When registering a cloud account targeting Azure using the console, your organization's Azure administrator will use the Azure CLI to perform the following:
      • Create an Azure Function App using an existing resource group and storage account.
      • Download the Control Plane Azure connector code.
      • Deploy the code to the function app.
      • Obtain the URL of the deployed function.
      • Obtain the code/key of the deployed function.
    • After the registration is completed, a secret of type azure-connector will be created. This secret can be reused to create another cloud account (using the same Function App) or if an existing cloud account was inadvertently deleted.
  • Functionality

    • The Function App that is deployed has a function called iam-broker. This function is called by Control Plane to obtain and inject the access token on behalf of the calling workload.
    • The Function App is set as an Owner of the subscription. This role assignment is needed to create the managed identities.
  • Identity Creation

    • When an identity is created targeting Azure resources, a managed identity is assigned to the function so that the function can act on its behalf. This identity will only have the minimum permissions that are required to access the targeted services. When an identity is assigned to a workload that requests access to an Azure resource, Control Plane will obtain a temporary access token that impersonates the roles and inject it into the workload granting it access.
  • Pricing

    • The App Function runs as a managed service and is subject to charges against your Azure subscription.
    • Please visit the Azure Function Pricing page to view the current pricing.
  • Compromised Code

    • If the Function App code has been compromised, perform the following:

      • From the Azure portal:
        • In the search bar, enter Function App and click the first result.
        • Click the app to update and click Functions.
        • Click iam-broker and then click Function Keys.
        • For the default Function Key, click Renew key value. A confirmation modal will be displayed, click Renew.
        • After the new key has been generated, click the link Hidden value. Click to show value.
        • Copy the value of the new code to the clipboard.
      • From the Control Plane console:
        • Click Secrets in the left menu and select the azure-connector secret that belongs to the cloud account (it will be named CLOUD_ACCONT_NAME-access).
        • Click the Edit Data button and then click the eye icon.
        • Update the Code property with the value of the new code by pasting it from the clipboard.
    • Until a valid code has been updated, Control Plane will not be able to manage workload identities.

  • Removing an Azure Cloud Account

    • If you no longer require Control Plane to create identities targeting Azure:

      • Delete all cloud access rules targeting Azure from existing workload identities. This will delete any user assigned identities.
      • Delete the cloud account.
      • Delete the azure connector secret that was mapped to the cloud account (named: CLOUD_ACCOUNT-access) if it is not being used by another Cloud Account.
      • Your Azure administrator will need to delete the Function App from the Azure portal or by running the following Azure CLI command:
      copy
      az functionapp delete --name FUNCTION_APP_NAME --resource-group AZURE_RESOURCE_GROUP

GCP Details

  • Cloud Account Creation

    • When registering a cloud account targeting GCP, your GCP administrator will add the Control Plane GCP service account as a member of your GCP account with the following roles:
      • Viewer
      • Service Account Admin
      • Service Account Token Creator
    • The Control Plane GCP service account is in the format: cpln-ORG_NAME@ENV.iam.gserviceaccount.com.
  • Identity Creation

    • When an identity is created targeting GCP, Control Plane will create a new Service Account in your GCP account that will have the minimum permissions that are required to access the targeted services.
    • When a workload that is assigned with an identity requests credentials to access GCP services, Control Plane will obtain a temporary access token that impersonates the service account and inject it into the workload granting it access.
    • If the identity created connects with a particular GCP service, the Control Plane GCP service account will need to be granted the Admin role for that service.
      • For example, if the identity will be using Cloud Store, the cpln-ORG_NAME@ENV.iam.gserviceaccount.com service account needs to have the Storage Admin role granted to it. By adding this role, Control Plane will be able to grant temporary access token to the workload when reading/writing to a storage bucket.
      • Control Plane will not be able to assign roles similar to Compute Network User because the Compute Admin was not assigned to the cpln-ORG_NAME@ENV.iam.gserviceaccount.com service account.
TIP

If your workload identities will be using a lot of GCP services, instead of granting the Admin role for each service, it will be easier to grant the cpln-ORG_NAME@ENV.iam.gserviceaccount.com service account the Owner role.

  • Removing a GCP Cloud Account
    • If you no longer require Control Plane to create identities targeting GCP:
      • Delete all cloud access rules targeting GCP from existing workload identities. This will delete any associated service account.
      • Delete the cloud account.
      • Remove the Control Plane user from your GCP account.

Permissions

The permissions below are used to define policies together with one or more of the four principal types:

PermissionDescriptionImplies
browseBrowse account contentsview
createCreate new cloud accounts
deleteDelete existing cloud accounts
editModify existing cloud accountsview, browse
manageFull accessbrowse, create, delete, edit, manage, view
viewRead-only access

Access Report

Displays the permissions granted to principals for the cloud account.

CLI

To view the CLI documentation for cloud accounts, click here

Copyright © 2021 Control Plane Corporation. All rights reserved. Revision 30221ec6
Contents