A cloud account is a mapping between your org and a cloud provider. When creating a cloud account, instructions are provided on how to create a bridge account at the cloud provider with minimum access permissions. This bridge account is used by Control Plane to query and manage the necessary resources at the cloud provider on behalf of your org.
Cloud accounts are scoped to an org and are used in conjunction with identities to set up cloud access rules.
Your workload can then be associated with an identity and will then have the ability to call any of the allowed cloud provider resources transparently without any additional set up.
For example, if your application uses AWS S3 for storage and Azure Cosmos DB for its database, your workload will be able to access both no matter which location the workload is deployed to. The workload calls each resource as if it had a direct connection and the identity will route the request seamlessly to the proper location.
Refer to the Create a Cloud Account guide for additional details.
Cloud Account Creation
cpln-ORG_NAME
) with
the following policies:cpln-connector
which has the necessary access to create and manage roles.ReadOnlyAccess
which "provides read-only access to AWS services and resources".Identity Creation
Removing an AWS Cloud Account
cpln-connector
policy and the cpln-ORG_NAME
role.When registering a cloud account targeting Azure, you can choose from the following methods:
During the creation of an Azure cloud account, the Azure CLI generates credentials that are used by Control Plane when connecting to
Azure to provision apps or user identities that will be used by workload identities. These credentials are uploaded and stored securely as an
Azure-SDK secret or Azure-Connector secret and can be viewed by
clicking Secrets
from the left menu in the console after creating an Azure cloud account.
cpln-
(i.e., cpln-ORG_NAME).Application.ReadWrite.OwnedBy
(which belongs to the Microsoft Graph API).The permissions Application.ReadWrite.OwnedBy
"allows the app to create other applications, and fully manage those applications
(read, update, update application secrets and delete), without a signed-in user. It cannot update any apps that it is not an owner of".
For every identity created, Control Plane creates an App registration for which it generates short-lived credentials and injects them into your workload using the native cloud providers identity interface. No matter which cloud your workload is running, Control Plane ensures that the identity information is conveyed correctly to the consumed services. Control Plane mints tokens for the identity bound to the workloads.
Identity Creation
Expired / Compromised Credentials
If the service principal credentials that were assigned to the cloud account expires or have been compromised, perform the following:
Azure Active Directory
and click App registrations
in the left menu.All applications
and then click the app registration named cpln-ORG_NAME
.Certificates & secrets
and then click New client secret
and follow the wizard.Secrets
in the left menu and select the azure-sdk
secret that belongs to the cloud account (it will be named
CLOUD_ACCONT_NAME-access).Edit Data
button and then click the eye icon.clientSecret
property with the value of the new secret by pasting it from the clipboard.Until a valid secret value has been updated, Control Plane will not be able to manage workload identities.
Removing an Azure Cloud Account
If you no longer require Control Plane to create identities targeting Azure:
copyaz ad sp delete --id http://cpln-ORG_NAME
Cloud Account Creation
Azure Function App
using an existing resource group and storage account.Functionality
iam-broker
. This function is called by Control Plane to obtain and inject the access
token on behalf of the calling workload.Owner
of the subscription. This role assignment is needed to create the managed identities.Identity Creation
Pricing
Compromised Code
If the Function App code has been compromised, perform the following:
Function App
and click the first result.Functions
.iam-broker
and then click Function Keys
.default
Function Key, click Renew key value
. A confirmation modal will be displayed, click Renew
.Hidden value. Click to show value
.Secrets
in the left menu and select the azure-connector
secret that belongs to the cloud account (it will be named
CLOUD_ACCONT_NAME-access).Edit Data
button and then click the eye icon.Code
property with the value of the new code by pasting it from the clipboard.Until a valid code has been updated, Control Plane will not be able to manage workload identities.
Removing an Azure Cloud Account
If you no longer require Control Plane to create identities targeting Azure:
copyaz functionapp delete --name FUNCTION_APP_NAME --resource-group AZURE_RESOURCE_GROUP
Cloud Account Creation
Viewer
Service Account Admin
Service Account Token Creator
cpln-ORG_NAME@ENV.iam.gserviceaccount.com
.Identity Creation
Service Account
in your GCP account
that will have the minimum permissions that are required to access the targeted services.Admin
role for that service.cpln-ORG_NAME@ENV.iam.gserviceaccount.com
service
account needs to have the Storage Admin
role granted to it. By adding this role, Control Plane will be able to grant
temporary access token to the workload when reading/writing to a storage bucket.Compute Network User
because the Compute Admin
was not assigned
to the cpln-ORG_NAME@ENV.iam.gserviceaccount.com
service account.If your workload identities will be using a lot of GCP services, instead of granting the Admin
role for each service,
it will be easier to grant the cpln-ORG_NAME@ENV.iam.gserviceaccount.com
service account the Owner
role.
The permissions below are used to define policies together with one or more of the four principal types:
Permission | Description | Implies |
---|---|---|
browse | Browse account contents | view |
create | Create new cloud accounts | |
delete | Delete existing cloud accounts | |
edit | Modify existing cloud accounts | view, browse |
manage | Full access | browse, create, delete, edit, manage, view |
view | Read-only access |
Displays the permissions granted to principals for the cloud account.
To view the CLI documentation for cloud accounts, click here