wf create cloudidentity
wf create cloudidentity
create a cloud identity in Wayfinder to configure how to authenticate to that cloud
Synopsis
Ensures a cloud identity exists in a cloud provider for Wayfinder to use for accessing one or more cloud providers with least privilege.
This is only needed to provide Wayfinder with access to clouds.
wf create cloudidentity [flags]
Examples
# Add a cloud identity and, be prompted for all the values:
$ wf create cloudidentity
# Create a cloudidentity for when Wayfinder is installed on EKS in AWS
# This will represent the EKS IRSA and AWS role identity.
$ wf create cloudidentity aws-cloudidentity -c aws --implicit-identity
# Create a cloudidentity for when Wayfinder is installed on AKS on Azure
# This will represent the AKS workload identity and Azure managed identity:
$ wf create cloudidentity azure-cloudidentity -c azure --implicit-identity
# Create a cloudidentity for when Wayfinder is installed on GKE on GCP
# This will represent the GKE workload identity and GCP service account:
$ wf create cloudidentity azure-cloudidentity -c gcp --implicit-identity
# The following cloudidentity commands are not recommended unless:
# You need to use a different Cloud from where Wayfinder is installed and and you cannot use identity federation
# Create a cloudidentity for an AWS user identity:
$ wf create cloudidentity aws-prod-user -c aws --aws-access-key-id 1234556675 --secret-file /path/to/secret-access-key
# Create a cloudidentity with a static GCP service account key:
$ wf create cloudidentity -c gcp --secret-file /path/to/service-account-key.json
# Create a cloudidentity with a static Azure Application Service Principal identity for Wayfinder to use using stdin:
$ cat /path/to/client-secret | wf create cloudidentity azure-cloudidentity -c azure --secret-file -
# See what to create for an Azure Workload Identity user identity (without creating it):
$ wf create cloudidentity azure-cloudidentity -c azure --client-id 12345678-abcd-458d-aa01-0123abcd1234 --dry-run
Options
--aws-access-key-id string The ID of an AWS user access key
--azure-client-id string Client ID of an Azure Application principle or specific Managed Identity
--azure-tenant-id string Tenant ID of an Azure Tenant
-c, --cloud string cloud to create/ensure identity for: gcp, aws, azure
--dry-run shows the resource but does not apply or create (defaults: false)
--for-workload-identity Set to create a cloudidentity for Wayfinder's workload identity (i.e. AWS IRSA, Azure or GCP Workload Identity)
--gcp-service-account-key-file string A file with the GCP service account key (use - to read from stdin)
-h, --help help for cloudidentity
--secret-file string A file with either; AWS secret access key, Azure client secret, GCP service account key (use - to read from stdin)
Options inherited from parent commands
--debug Indicates we should use debug / trace logging (default: false)
--force Used to force an operation to happen (default: false)
--no-wait Indicates we should not wait for resources to provision
-o, --output string Output format of the resource (json,yaml,table,template) (default "table")
--profile string Use a profile other than your default for this command
--show-headers Indicates we should display headers on table out (default true)
--verbose Enables verbose logging for debugging purposes (default: false)
-w, --workspace string The workspace you are operating within
SEE ALSO
- wf create - Creates one or more resources