Skip to main content
Version: 2.3

wf create cloudaccessconfig

wf create cloudaccessconfig

Allows Wayfinder to access a cloud account, subscription or project


Creates a cloud access config for a workspace so it can be used by Wayfinder to provision infrastructure. You can create one cloud access config per stage, per cloud provider in each workspace.

You can also create 'admin' cloud access configs for Wayfinder-wide functionality such as global DNS zone management.

For non-admin cloud access configs, the default feature is 'Provisioning', allowing Wayfinder to provision workspace infrastructure such as networks, clusters and DNS zones.

For admin cloud access configs, the default features are 'DNS zone management' and 'Cost estimates', allowing Wayfinder to manage global DNS zones and download pricing information for cost estimation.

To see additional features, run 'wf create cloudaccessconfig --list-features'. If you wish to enable different features, use the --feature flag.

To output the required IAM to your terminal; run 'wf setup cloudaccessconfig --display'. This will output the required IAM to your terminal which you can apply to your cloud provider.

This command can configure IAM for the specified cloud access config directly. To do this, ensure you are logged in to the relevant cloud account / subscription / project in your terminal and run this command with '--setup'.

wf create cloudaccessconfig [flags]


# Add an account to the current workspace, being prompted for all the values:
$ wf create cloudaccessconfig

# Add a global/admin account, being prompted for all other values:
$ wf create cloudaccessconfig --admin --name aws-admin

# Alternatively, use flags to set the values needed as follows.

# Add a non-prod GCP project for the 'wsp' workspace:
$ wf create cloudaccessconfig -w wsp -c gcp -s nonprod -i project-id --default-region europe-west2

# Add a prod AWS account for the 'proj' workspace:
$ wf create cloudaccessconfig -w proj -c aws -s prod -i 123456654321 --default-region eu-west-2

# Add a non-prod Azure account for the 'wsp' workspace:
$ wf create cloudaccessconfig -w wsp -c azure --stage nonprod -i abcd1234-a1b2-c3d4-e5f6-abcd1234ef90 \
--org-id zyx1234q-a1b2-c3d4-e5f6-abcd1234ef90 --default-region uksouth

# Add an Azure subscription for administrative purposes - you must include --name instead of --stage when
# adding an admin account as it is possible to add multiple admin accounts for a single cloud:
$ wf create cloudaccessconfig --admin --name azure-dns -c azure -i abcd1234-a1b2-c3d4-e5f6-abcd1234ef90 \
--default-region uksouth --org-id zyx1234q-a1b2-c3d4-e5f6-abcd1234ef90 \
--feature DNSZoneManagement --feature CostsAudit


      --admin                   cloud access for Wayfinder-wide administrative purposes, such as global DNS zone management
-c, --cloud string the cloud this access is for: gcp, aws, azure
--default-region string the default region for this account when a specific region is not provided for an operation
-d, --description string longer description of this access which workspaces will see if they have multiple allocated access
--dry-run shows the resource but does not apply or create (defaults: false)
--feature strings ways in which this cloud access will be used - defaults to 'Provisioning' for normal accounts, 'DNSZoneManagement' and 'CostEstimates' for admin accounts. Can be specified multiple times to enable multiple features.
-h, --help help for cloudaccessconfig
-i, --identifier string the cloud provider's identifier for access, i.e. AWS Account ID, GCP Project, Azure Subscription ID
--list-features lists available features that can be enabled for a linked cloud access
--list-roles lists roles required for a given cloud provider and feature (or default features)
--name string name for the cloud access config in Wayfinder
--org-id string the cloud provider's identifier for the organization, i.e. Azure Tenant ID (required for certain features on Azure to function correctly)
--role-name strings provider role names to be used for cloud access in the format role-name=provider-role-name. Can be specified multiple times to enable multiple roles.
--setup creates the cloud access config in Wayfinder and sets up the IAM in the cloud
-s, --stage string stage this access can be used for - required unless this is an 'admin' cloud access config

Options inherited from parent commands

      --debug              Indicates we should use debug / trace logging (default: false)
--force Used to force an operation to happen (default: false)
--no-wait Indicates we should not wait for resources to provision
-o, --output string Output format of the resource (json,yaml,table,template) (default "table")
--profile string Use a profile other than your default for this command
--show-headers Indicates we should display headers on table out (default true)
--verbose Enables verbose logging for debugging purposes (default: false)
-w, --workspace string The workspace you are operating within