Skip to main content
Version: 1.2

User Access to Managed Cloud Accounts

You can allow workspace members to access cloud accounts managed by Wayfinder so they can use tools such as the AWS CLI or Terraform, and the cloud provider's native console, for example, the AWS web console.

For information on Wayfinder managed cloud accounts, see Organization account automation.

Cloud provider support

Wayfinder currently supports the following access to Wayfinder managed cloud accounts.

CloudCLI & API accessPortal/console access
AWSSupportedSupported
AzureNot yet supportedNot yet supported
GCPNot yet supportedNot yet supported

Set up a cloud account user role

This procedure makes a user role available in cloud accounts managed by Wayfinder for some or all of your workspaces. For more information, see wf setup access cloudaccount.

Example: Set up a user role to access AWS cloud accounts

To enable workspace members to access managed AWS accounts you can choose one or more Amazon-managed policies or create your own custom policy, and use wf setup access cloudaccount to create a Wayfinder user role for some or all workspaces. This command creates a Stackset in your AWS organization to deploy a user role into the relevant workspace AWS accounts, and provides Wayfinder with the relevant information to orchestrate this to existing and new accounts it manages.

To set up a user role for AWS cloud accounts:

  1. Get the name of the AWS organization you want to add the role to:

    $ wayfinder get cloudaccounts --type organization
    NAME PROVIDER STATUS IDENTIFIER AGE
    awsorg-myorg aws Success 123456789012 19d
  2. Ensure you are logged in to your AWS organization's management account. For example, you can use one of the following commands to create a profile:

    $ aws configure --profile mgmtacct
    $ aws configure sso --profile mgmtacct
  3. Make sure the right AWS profile is selected:

    $ export AWS_PROFILE=mgmtacct    
  4. Run the following to set up a new user role to access the cloud account:

    wf setup access cloudaccount

    • Use one or more Amazon-managed policies using the --aws-policy flag. You can also use a custom policy for the role.

    • Use the flags --all-workspaces, or --workspaces workspace1,workspace2 etc., to select specific workspaces.

    • The --role-name you choose is what workspace members select when accessing their cloud accounts.

    Example:

    $ wf setup access cloudaccount awsorg-myorg \
    --role-name ReadOnly \
    --aws-policy ReadOnlyAccess \
    --workspaces workspace1,workspace2

Use a custom policy for the role

You can use a custom policy instead of the Amazon-managed policies for the new user role. To use a custom policy, prepare a policy definition in a file, as in the following example.

To use a custom policy instead of an Amazon-managed policy:

  1. Create a policy.json file containing the following as an example:

    {
    "Version": "2012-10-17",
    "Statement": {
    "Effect": "Allow",
    "Action": [
    "iam:Get*",
    "iam:List*"
    ],
    "Resource": "*"
    }
    }
  2. With the above file, run the following:

    $ wf setup access cloudaccount awsorg-myorg \
    --role-name IAMGetAndList \
    --file policy.json \
    --all-workspaces

    The --role-name you choose is what workspace members select when accessing their cloud accounts.

Change the workspaces that have access to the role

To change the workspaces that have access to use the cloud account user role, re-run the wf setup access cloudaccount command and change the --all-workspaces or --workspaces a,b,c as needed.

Creating an access policy to set workspace permissions

Once you've set up access to a cloud account for one or more workspaces (as shown above) to permit workspaces to access the cloud account role you created, a workspace administrator must create a policy in the workspace that defines the constraints around this access. If the user role is available to more than one workspace, an access policy must be created for each workspace. For workspace administrator instructions, see Create an access policy for your workspace.

How workspace members get access to cloud accounts

With the above completed, workspace members can get access to the cloud account using either wf access cloudaccount or the Wayfinder UI. For workspace member instructions, see Accessing a Cloud Account.

Remove a user role

To remove a user role use wf setup access cloudaccount with the --remove flag. This will ensure that the role is disabled from all Wayfinder-managed accounts.