Follow the steps below to create an identity within your GVC.
Follow the steps below to create an identity (requires a GVC):
Identities
in the left menu and click New
, orCreate
dropdown in the upper right corner and select Identity
.Next (Cloud Access)
.Next (Network Resources)
.Add Network Resource
and follow the wizard to configure a network resource. The wizard requires at least one agent
to exist. Each identity can have multiple network resources defined. Depending on the use case of this identity, creating a network
resource is optional. See Network Resource for additional details. Click Next (Tags)
.Create
.The cloud access portion of an identity defines cloud resource access rules across one account in each of AWS, GCP and Azure. In other words, you can create an identity that allows access to several resources in a particular AWS account and a particular Azure account, but not in two separate Azure accounts.
When defining the policy for a particular cloud provider, Control Plane creates and manages (using the registered cloud account) the following object at each cloud provider which acts as a "synthetic identity":
The minimum set of permissions required by the workload to call the target cloud resources should be assigned to the cloud access policy.
When workloads call the cloud resource, they call the services by impersonating the "synthetic identity". This "synthetic identity" will only have the permission that were assigned to it.
Having multiple cloud providers configured on an identity using cloud access rules grants the workload the ability to call cloud resources at any cloud provider seamlessly and transparently regardless of where it running.
Below are instructions on how to set up cloud access rules using the console for:
To set up an AWS cloud access policy using the console, click on the AWS icon and the wizard modal will appear.
Select one of the registered AWS cloud accounts
Select one of the following methods and click Next
:
Edit Manually
button and enter a role name. Click Confirm Manual Input
when done.Done
.Set Policies Manually
button and manually enter the policy name and click Add
. Multiple policies can be added
manually. Click Set Policies From List
to return to the existing policies list.Done
.After setting up the AWS cloud access rule, a summary of the selections will be shown. Verify that the policies selected are
correct and at the bottom of the page, click Save
. If a new AWS role was selected, Control Plane will provision a new role in AWS
that will be named the same as the Object Name
shown in the Info
page of the identity.
To set up an Azure cloud access policy using the console, click on the Azure icon and the wizard modal will appear.
Next
.Select Scope
to show the scope selection wizard. Choose the service, region, type, and scope. Click Confirm
.Select Roles
to show the list of available roles for the selected scope. Select one or more roles. Click Confirm
.Add Assignment
at the top of the modal. Repeat the first two steps.Done
.After setting up the Azure cloud access policy, a summary of the selections will be shown. Verify that the roles selected are correct and
at the bottom of the page, click Save
. Control Plane will provision a new App registration in Azure that will be named the same as
the Object Name
shown in the Info
page of the identity.
To set up a GCP cloud access policy using the console, click on the GCP icon and the wizard modal will appear.
Select one of the registered GCP cloud accounts
Select one of the following methods and click Next
:
Edit Manually
button and enter a service account name. Click Confirm Manual Input
when done.Done
.Select Resource
to show the resource selection wizard. Choose the service, region, type, and resource. Click Confirm
.Select Roles
to show the list of available roles for the selected resource. Select one or more roles. Click Confirm
.Add Binding
at the top of the modal. Repeat the first two steps.Done
After setting up the GCP cloud access policy, a summary of the selections will be shown. Verify that the roles selected are correct and
at the bottom of the page, click Save
. If a new service account was selected, Control Plane will provision the new Service Account in GCP
that will be named the same as the Object Name
shown in the Info
page of the identity.
The network resource portion of an identity defines network traversal rules from workloads into specific endpoints in private networks (e.g., a VPC).
Tunneling network traffic from workloads to specific TCP hosts and ports is facilitated using agents deployed within the private network. This capability is referred to as “wormholes”.
To set up a new network resource, click the Network Resources
link and click Add Network Resource
.
Select a registered agent matching the environment you'd like to access.
Enter a unique name
for this resource.
Note: This name will be the hostname your workload will use when calling this resource.
Choose one of the following resource discovery methods:
Fully Qualified Domain Name (FQDN):
Note: When selecting FQDN, the internal resource can be called by the workload using either the FQDN or the name
entered in step 2.
If the internal resource is configured with TLS, the FQDN must be used.
IP:
Note: When selecting IP, the internal resource is called by the workload using the name
entered in step 2.
A maximum of 5 ports can be added.
Add Network Resource
button again and repeat the steps above.Save
.Refer to the identity create command for details and examples on how to create an identity using the CLI.