Skip to main content

wf create cloudaccessconfig

wf create cloudaccessconfig

Allows Wayfinder to access a cloud account, subscription or project


Creates a cloud access config for a workspace so it can be used by Wayfinder to provision infrastructure. You can create one cloud access config per stage, per cloud provider in each workspace.

To see what corresponding IAM permissions are required before creating a CloudAccessConfig, run 'wf describe iam'

You can also create 'admin' cloud access configs for Wayfinder-wide functionality such as global DNS zone management.

For non-admin cloud access configs, the default feature is 'Provisioning', allowing Wayfinder to provision workspace infrastructure such as networks, clusters and DNS zones.

For admin cloud access configs, you must specify the type.

To see supported cloud access types, run 'wf create cloudaccessconfig --list-types'.

wf create cloudaccessconfig [flags]


# Add a config to the current workspace named azure-nonprod, being prompted for all the values:
$ wf create cloudaccessconfig azure-nonprod

# Add a global/admin config, being prompted for all other values:
$ wf create cloudaccessconfig admin-dns --admin --type DNSzoneManagement

# Alternatively, use flags to set the values needed as follows.

# Add a non-prod GCP project for the 'wsp' workspace:
$ wf create cloudaccessconfig gcp-nonprod -w wsp -c gcp -s nonprod -gcp-project-id project-id

# Add a prod AWS account for the 'proj' workspace:
$ wf create cloudaccessconfig aws-prod -w proj -c aws -s prod -aws-account-id 123456654321 --aws-default-region eu-west-2

# Add a nonprod AWS account for the 'proj' workspace with all roles specified:
$ wf create cloudaccessconfig aws-nonprod -w proj -c aws -s nonprod -aws-account-id 123456789012 \
--aws-default-region eu-west-2 --type Provisioning \
--role-name ClusterManager=arn:aws:iam::123456789012:role/wf-ClusterManager \
--role-name NetworkManager=arn:aws:iam::123456789012:role/wf-NetworkManager \
--role-name DNSZoneManager=arn:aws:iam::123456789012:role/wf-DNSZoneManager

# Add a non-prod Azure account for the 'wsp' workspace:
$ wf create cloudaccessconfig azure-nonprod -w wsp -c azure --stage nonprod \
--azure-subscription-id abcd1234-a1b2-c3d4-e5f6-abcd1234ef90 \
--azure-tenant-id zyx1234q-a1b2-c3d4-e5f6-abcd1234ef90

# Add an Azure subscription for DNS - you must include --name instead of --stage when
# adding an admin account as it is possible to add multiple admin accounts for a single cloud:
$ wf create cloudaccessconfig azure-dns --admin -c azure --type DNSZoneManagement \
--azure-subscription-id abcd1234-a1b2-c3d4-e5f6-abcd1234ef90 \
--azure-tenant-id zyx1234q-a1b2-c3d4-e5f6-abcd1234ef90


      --admin                          configure a cloud access for Wayfinder-wide administrative purposes rather than a specific workspace
--aws-account-id string AWS Account ID
--aws-default-region string the default region for this account when a specific region is not provided for an operation
--azure-subscription-id string Azure Subscription ID
--azure-tenant-id string Azure Tenant ID
-c, --cloud string the cloud this access is for: gcp, aws, azure
--cloud-identity string the cloud identity to use to authenticate to this cloud - defaults to cloudidentity-CLOUD
-d, --description string longer description of this access which workspaces will see if they have multiple allocated access
--dry-run shows the resource but does not apply or create (defaults: false)
--gcp-project-id string GCP Project ID
-h, --help help for cloudaccessconfig
--list-types lists available types that can used for a cloud access config
--role-name strings provider role names to be used for cloud access in the format role-name=provider-role-name. Can be specified multiple times to enable multiple roles.
-s, --stage string stage this access can be used for - required unless this is an 'admin' cloud access config
--type string how this cloud access will be used - defaults to 'Provisioning' for normal accounts, can be either 'DNSZoneManagement' and 'CostEstimates' for admin accounts.

Options inherited from parent commands

      --debug              Debug / trace logging (default: false)
--force Force operation to happen (default: false)
--no-wait Do not wait for resources to provision
-o, --output string Output format of the resource (json,yaml,table,template) (default "table")
--profile string Use a profile other than your current - to change current: wf use profile NAME
--show-headers Display headers on table out (default true)
--verbose Verbose logging (default: false)
-w, --workspace string Workspace to use