Skip to main content

Accessing a Cloud Account

The Wayfinder administrator can allow workspace members to access cloud accounts managed by Wayfinder. This lets workspace members use tools such as the AWS CLI or Terraform, and the cloud provider's native console, for example, the AWS web console.

Prerequisites

In order for a workspace member to get access to a cloud account, the following must be completed first.

  • The Wayfinder administrator has created a user role to give access to your workspace's cloud accounts.
  • The workspace administrator has created an access policy for your workspace for that account (see below).

Workspace administrator: Create an access policy for your workspace

To permit your workspace to access their managed cloud accounts, the Wayfinder administrator must make that account and user role available to your workspace. Then, as a workspace administrator, you must create an access policy to constrain access to that account. A separate access policy must be created for each workspace that is allowed to access a cloud account.

You can give cloud account access to a:

  • User
  • Robot
  • Workspace role

You will have the usual Wayfinder policy controls, such as IP restrictions, day of the week, etc.

To create an access policy for a cloud account:

  1. Switch to the workspace you're creating the policy for. For example:

    $ wf use workspace app-workspace-1

  2. Get the name of the managed account you want to permit access to:

    $ wf get cloudaccounts --type wfmanaged
    NAME                             PROVIDER    STATUS     IDENTIFIER                              AGE
    aws-wf-app-workspace-1-nonprod      aws         Success    123456789012                            19d
    aws-wf-app-workspace-1-prod         aws         Success    210987654321                            19d

  3. Create a policy to permit and constrain access, using the following command.

    wf create policy access ACCOUNT ROLE

    Where: ACCOUNT is the managed account you're permitting access to; ROLE is the user role the Wayfinder admin created for this account.

    For example:

    $ wf create policy access aws-wf-app-workspace-1-nonprod ReadOnly

  4. Follow the prompts to select time windows, whether to allow this access permanently or temporarily, and who should have access.

Workspace member: Get access to a cloud account

To get access using the Wayfinder UI:

  1. Click the Clusters page, and then click Access cluster:

    access aws account through portal

To get access using the CLI:

  1. Switch to the workspace you're using to access the account. For example:

    $ wf use workspace app-workspace-1

  2. Use any of the following examples to access the cloud account:

    • Open the cloud provider portal, and follow prompts to select which account and which role:

      $ wf access cloudaccount --portal

    • Run a command to access a cloud account, and follow prompts to select which account and which role:

      $ wf access cloudaccount -- aws ec2 describe-instances

    • Specify the cloud account and role all in one line, and source into your current terminal session:

      $ source <(wf access cloudaccount aws-wf-app-workspace-1-nonprod --role ReadOnly --env)
      $ aws ec2 describe-instances
Last updated on 7 Jul 2022