wf setup cloudidentity
wf setup cloudidentity
create/ensure an identity to access: gcp, aws, azure
Synopsis
Ensures a cloud identity exists in a cloud provider for Wayfinder to use for accessing one or more cloud providers with least privilege.
You must be logged in to the relevant cloud in order for these commands to work:
AWS: Ensure you have a profile configured and selected before running these commands. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html
Azure: Ensure you have the Azure cli installed and can login before running these commands. https://docs.microsoft.com/en-us/cli/azure/install-azure-cli
GCP: Ensure you have the gcloud CLI installed and can login before running these commands. https://cloud.google.com/sdk/docs/install
This is only needed to provide Wayfinder with access to additional clouds (e.g. to access GCP when Wayfinder is running in an AWS cluster). When Wayfinder is installed (using wf install), a cloud identity will have already been provisioned to access that cloud.
wf setup cloudidentity [flags]
Examples
# Add a cloud identity and, be prompted for all the values:
$ wf setup cloudidentity
# Create / update an AWS user identity for Wayfinder to use:
$ wf setup cloudidentity -c aws
# Create / update an Azure user identity for Wayfinder to use:
$ wf setup cloudidentity -c azure --azure-subscription-id 123456678-ABCA-ABCA-ABCA-123456789101
# Create / update a GCP user identity for Wayfinder to use:
$ wf setup cloudidentity -c gcp --gcp-project-id curly-rhino
# Remove the cloud identity resources and decomission the identity from Wayfinder:
$ wf setup cloudidentity -c aws --remove
Options
--azure-subscription-id string ID of Azure subscription in which to create a role to permit Wayfinder's access to your tenant
-c, --cloud string cloud to create/ensure identity for: gcp, aws, azure
--gcp-project-id string ID of GCP project in which to create a service account to permit Wayfinder's access to your GCP organization
-h, --help help for cloudidentity
--remove removes all IAM resources created and removes the associated Wayfinder cloudcredential
Options inherited from parent commands
--debug Indicates we should use debug / trace logging (default: false)
--force Used to force an operation to happen (default: false)
--no-wait Indicates we should not wait for resources to provision
-o, --output string Output format of the resource (json,yaml,table,template) (default "table")
--profile string Use a profile other than your default for this command
--show-headers Indicates we should display headers on table out (default true)
--verbose Enables verbose logging for debugging purposes (default: false)
-w, --workspace string The workspace you are operating within
SEE ALSO
- wf setup - Initialises dependencies required to run wayfinder