cpln-ORG_NAME
) with the following policies:
cpln-connector
which has the necessary access to create and manage roles.ReadOnlyAccess
which “provides read-only access to AWS services and resources”.cpln-connector
policy and the cpln-ORG_NAME
role.Secrets
from the left menu in the console after creating an Azure cloud account.cpln-
(i.e., cpln-ORG_NAME).Application.ReadWrite.OwnedBy
(which belongs to the Microsoft Graph API).Application.ReadWrite.OwnedBy
“allows the app to create other applications, and fully manage those applications (read, update, update application secrets and delete), without a signed-in user. It cannot update any apps that it is not an owner of”.For every identity created, Control Plane creates an App registration for which it generates short-lived credentials and injects them into your workload using the native cloud providers identity interface. No matter which cloud your workload is running, Control Plane ensures that the identity information is conveyed correctly to the consumed services. Control Plane mints tokens for the identity bound to the workloads.Azure Active Directory
and click App registrations
in the left menu.All applications
and then click the app registration named cpln-ORG_NAME
.Certificates & secrets
and then click New client secret
and follow the wizard.Secrets
in the left menu and select the azure-sdk
secret that belongs to the cloud account (it will be named CLOUD_ACCOUNT_NAME-access).Edit Data
button and then click the eye icon.clientSecret
property with the value of the new secret by pasting it from the clipboard.Azure Function App
using an existing resource group and storage account.iam-broker
. This function is called by Control Plane to obtain and inject the access token on behalf of the calling workload.Owner
of the subscription. This role assignment is needed to create the managed identities.Function App
and click the first result.Functions
.iam-broker
and then click Function Keys
.default
Function Key, click Renew key value
. A confirmation modal will be displayed, click Renew
.Hidden value. Click to show value
.Secrets
in the left menu and select the azure-connector
secret that belongs to the cloud account (it will be named
CLOUD_ACCOUNT_NAME-access).Edit Data
button and then click the eye icon.Code
property with the value of the new code by pasting it from the clipboard.Viewer
Service Account Admin
Service Account Token Creator
cpln-ORG_NAME@ENV.iam.gserviceaccount.com
.Service Account
in your GCP account that will have the minimum permissions that are required to access the targeted services.Admin
role for that service.
cpln-ORG_NAME@ENV.iam.gserviceaccount.com
service account needs to have the Storage Admin
role granted to it. By adding this role, Control Plane will be able to grant temporary access token to the workload when reading/writing to a storage bucket.Compute Network User
because the Compute Admin
was not assigned to the cpln-ORG_NAME@ENV.iam.gserviceaccount.com
service account.Admin
role for each service, it will be easier to grant the cpln-ORG_NAME@ENV.iam.gserviceaccount.com
service account the Owner
role.Permission | Description | Implies |
---|---|---|
browse | Browse account contents | view |
create | Create new cloud accounts | |
delete | Delete existing cloud accounts | |
edit | Modify existing cloud accounts | view, browse |
manage | Full access | browse, create, delete, edit, manage, view |
view | Read-only access |