Cloud accounts
A learner can access cloud account through the instruqt hosts
Learners access Cloud accounts through the Instruqt hosts.

Accessing Google Cloud projects

To give a user access to the created Google Cloud Project you need to add the Cloud Client container to your track.
The Cloud Client container exposes links to the GCP Cloud Consoles for the resources configured in the config.yml, with the credentials required to login. It also includes the gcloud cli, pre-configured with the required credentials.
To enable this, add the gcr.io/instruqt/cloud-client container to your config.yml. And add extra tabs to the challenges, where you want to expose the Consoles or cli tools.
1
# config.yml
2
containers:
3
- name: cloud-client
4
image: gcr.io/instruqt/cloud-client
5
ports: [80]
6
shell: /bin/bash
7
gcp_projects:
8
- name: gcpproject
9
services: []
10
11
# track.yml
12
challenges:
13
- slug: my-challenge
14
tabs:
15
- type: service
16
title: GCP Console
17
hostname: cloud-client
18
port: 80
19
path: /
20
- type: terminal
21
title: Cloud CLI
22
hostname: cloud-client
Copied!

Environment variables

Environment variable
Description
INSTRUQT_GCP_PROJECTS
A comma-separated list of project names that can be used to fill ${NAME} in the variables below
INSTRUQT_GCP_PROJECT_${NAME}_PROJECT_NAME
This injects the project display name
INSTRUQT_GCP_PROJECT_${NAME}_PROJECT_ID
This injects the project ID
INSTRUQT_GCP_PROJECT_${NAME}_USER_EMAIL
This injects the email address of the user that has access to the project
INSTRUQT_GCP_PROJECT_${NAME}_USER_PASSWORD
This injects the password of the user
INSTRUQT_GCP_PROJECT_${NAME}_SERVICE_ACCOUNT_EMAIL
This injects the email address of the services account for this project
INSTRUQT_GCP_PROJECT_${NAME}_SERVICE_ACCOUNT_KEY
This injects the Base64 encoded key for the services account

Accessing AWS Accounts

To give a user access to the created AWS Account you need to add the Cloud Client container to your track.
The Cloud Client container exposes links to the AWS Console for the resources configured in the config.yml, with the credentials required to login. It also includes the aws cli, pre-configured with the required credentials.
To enable this, add the gcr.io/instruqt/cloud-client container to your config.yml. And add extra tabs to the challenges, where you want to expose the Consoles or cli tools.
1
# config.yml
2
containers:
3
- name: cloud-client
4
image: gcr.io/instruqt/cloud-client
5
ports: [80]
6
shell: /bin/bash
7
aws_accounts:
8
- name: awsaccount
9
10
# track.yml
11
challenges:
12
- slug: my-challenge
13
tabs:
14
- type: service
15
title: AWS Console
16
hostname: cloud-client
17
port: 80
18
path: /
19
- type: terminal
20
title: Cloud CLI
21
hostname: cloud-client
Copied!

Using managed policies

Use the managed_policies field to add more restrictions to what learners can do. The next example is a managed policy that limits the EC2 instance types to only several t2 and t3 instances:
1
{
2
"Version": "2012-10-17",
3
"Statement": [
4
{
5
"Sid": "RequireLessThanXLInstanceType",
6
"Effect": "Deny",
7
"Action": "ec2:RunInstances",
8
"Resource": "arn:aws:ec2:::instance/*",
9
"Condition": {
10
"StringNotEquals": {
11
"ec2:InstanceType": [
12
"t2.nano",
13
"t2.micro",
14
"t2.small",
15
"t2.medium",
16
"t2.large",
17
"t3.nano",
18
"t3.micro",
19
"t3.small",
20
"t3.medium",
21
"t3.large"
22
]
23
}
24
}
25
}
26
]
27
}
Copied!

Environment variables

Environment variable
Description
INSTRUQT_AWS_ACCOUNTS
A comma-separated list of project names that can be used to fill ${NAME} in the variables below
INSTRUQT_AWS_ACCOUNT_${NAME}_ACCOUNT_NAME
This injects the account display name
INSTRUQT_AWS_ACCOUNT_${NAME}_ACCOUNT_ID
This injects the account ID
INSTRUQT_AWS_ACCOUNT_${NAME}_ACCOUNT_USERNAME
This injects the username that can be used to sign in to the IAM user
INSTRUQT_AWS_ACCOUNT_${NAME}_ACCOUNT_PASSWORD
This injects the password that can be used to sign in to the IAM user
INSTRUQT_AWS_ACCOUNT_${NAME}_ACCOUNT_AWS_ACCESS_KEY_ID
This injects the access key id for this account
INSTRUQT_AWS_ACCOUNT_${NAME}_ACCOUNT_AWS_SECRET_ACCESS_KEY
This injects the secret access key for this account

Accessing the Azure subscription

To give a user access to the created Azure subscription you need to add the Cloud Client container to your track.
The Cloud Client container exposes links to the Azure Portal for the resources configured in the config.yml, with the credentials required to login. It also includes the az cli, pre-configured with the required credentials.
To enable this, add the gcr.io/instruqt/cloud-client container to your config.yml. And add extra tabs to the challenges, where you want to expose the Consoles or cli tools.
1
# config.yml
2
containers:
3
- name: cloud-client
4
image: gcr.io/instruqt/cloud-client
5
ports: [80]
6
shell: /bin/bash
7
azure_subscriptions:
8
- name: azuresubscription
9
roles:
10
- Contributor
11
12
# track.yml
13
challenges:
14
- slug: my-challenge
15
tabs:
16
- type: service
17
title: Azure Portal
18
hostname: cloud-client
19
port: 80
20
path: /
21
- type: terminal
22
title: Cloud CLI
23
hostname: cloud-client
Copied!

Environment variables

Environment variable
Description
INSTRUQT_AZURE_SUBSCRIPTIONS
A comma-separated list of project names that can be used to fill ${NAME} in the variables below
INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_SUBSCRIPTION_NAME
The subscription display name
INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_SUBSCRIPTION_ID
The subscription ID
INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_USERNAME
The username that can be used to sign into the Azure portal
INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_PASSWORD
The password that can be used to sign into the Azure portal
INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_SPN_ID
The application ID for the service principal
INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_SPN_PASSWORD
The password for the service principal
INSTRUQT_AZURE_SUBSCRIPTION_${NAME}_TENANT_ID
The tenant ID for this subscription
Last modified 6mo ago