Cloud accounts

A learner can access cloud account through the instruqt hosts

Learners access Cloud accounts through the Instruqt hosts.

Accessing Google Cloud projects

To give a user access to the created Google Cloud Project you need to add the Cloud Client container to your track.

The Cloud Client container exposes links to the GCP Cloud Consoles for the resources configured in the config.yml, with the credentials required to login. It also includes the gcloud cli, pre-configured with the required credentials.

To enable this, add the gcr.io/instruqt/cloud-client container to your config.yml. And add extra tabs to the challenges, where you want to expose the Consoles or cli tools.

# config.yml
containers:
- name: cloud-client
image: gcr.io/instruqt/cloud-client
ports: [80]
shell: /bin/bash
gcp_projects:
- name: gcpproject
services: []
# track.yml
challenges:
- slug: my-challenge
tabs:
- type: service
title: GCP Console
hostname: cloud-client
port: 80
path: /
- type: terminal
title: Cloud CLI
hostname: cloud-client

Environment variables

Environment variable

Description

INSTRUQT_GCP_PROJECTS

A comma-separated list of project names that can be used to fill ${NAME} in the variables below

INSTRUQT_GCP_PROJECT_${NAME}_PROJECT_NAME

This injects the project display name

INSTRUQT_GCP_PROJECT_${NAME}_PROJECT_ID

This injects the project ID

INSTRUQT_GCP_PROJECT_${NAME}_USER_EMAIL

This injects the email address of the user that has access to the project

INSTRUQT_GCP_PROJECT_${NAME}_USER_PASSWORD

This injects the password of the user

INSTRUQT_GCP_PROJECT_${NAME}_SERVICE_ACCOUNT_EMAIL

This injects the email address of the services account for this project

INSTRUQT_GCP_PROJECT_${NAME}_SERVICE_ACCOUNT_KEY

This injects the Base64 encoded key for the services account

Accessing AWS Accounts

To give a user access to the created AWS Account you need to add the Cloud Client container to your track.

The Cloud Client container exposes links to the AWS Console for the resources configured in the config.yml, with the credentials required to login. It also includes the aws cli, pre-configured with the required credentials.

To enable this, add the gcr.io/instruqt/cloud-client container to your config.yml. And add extra tabs to the challenges, where you want to expose the Consoles or cli tools.

# config.yml
containers:
- name: cloud-client
image: gcr.io/instruqt/cloud-client
ports: [80]
shell: /bin/bash
aws_accounts:
- name: awsaccount
# track.yml
challenges:
- slug: my-challenge
tabs:
- type: service
title: AWS Console
hostname: cloud-client
port: 80
path: /
- type: terminal
title: Cloud CLI
hostname: cloud-client

Using managed policies

Use the managed_policies field to add more restrictions to what learners can do. The next example is a managed policy that limits the EC2 instance types to only several t2 and t3 instances:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireLessThanXLInstanceType",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:::instance/*",
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": [
"t2.nano",
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"t3.nano",
"t3.micro",
"t3.small",
"t3.medium",
"t3.large"
]
}
}
}
]
}

Environment variables

Environment variable

Description

INSTRUQT_AWS_ACCOUNTS

A comma-separated list of project names that can be used to fill ${NAME} in the variables below

INSTRUQT_AWS_ACCOUNT_${NAME}_ACCOUNT_NAME

This injects the account display name

INSTRUQT_AWS_ACCOUNT_${NAME}_ACCOUNT_ID

This injects the account ID

INSTRUQT_AWS_ACCOUNT_${NAME}_ACCOUNT_USERNAME

This injects the username that can be used to sign in to the IAM user

INSTRUQT_AWS_ACCOUNT_${NAME}_ACCOUNT_PASSWORD

This injects the password that can be used to sign in to the IAM user

INSTRUQT_AWS_ACCOUNT_${NAME}_ACCOUNT_AWS_ACCESS_KEY_ID

This injects the access key id for this account

INSTRUQT_AWS_ACCOUNT_${NAME}_ACCOUNT_AWS_SECRET_ACCESS_KEY

This injects the secret access key for this account

Accessing the Azure subscription

To give a user access to the created Azure subscription you need to add the Cloud Client container to your track.

The Cloud Client container exposes links to the Azure Portal for the resources configured in the config.yml, with the credentials required to login. It also includes the az cli, pre-configured with the required credentials.

To enable this, add the gcr.io/instruqt/cloud-client container to your config.yml. And add extra tabs to the challenges, where you want to expose the Consoles or cli tools.

# config.yml
containers:
- name: cloud-client
image: gcr.io/instruqt/cloud-client
ports: [80]
shell: /bin/bash
azure_subscriptions:
- name: azuresubscription
roles:
- Contributor
# track.yml
challenges:
- slug: my-challenge
tabs:
- type: service
title: Azure Portal
hostname: cloud-client
port: 80
path: /
- type: terminal
title: Cloud CLI
hostname: cloud-client

Environment variables

Environment variable

Description

INSTRUQT_AZURE_SUBSCRIPTIONS

A comma-separated list of project names that can be used to fill ${NAME} in the variables below

INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_SUBSCRIPTION_NAME

The subscription display name

INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_SUBSCRIPTION_ID

The subscription ID

INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_USERNAME

The username that can be used to sign into the Azure portal

INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_PASSWORD

The password that can be used to sign into the Azure portal

INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_SPN_ID

The application ID for the service principal

INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_SPN_PASSWORD

The password for the service principal

INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_TENANT_ID

The tenant ID for this subscription