Cloud accounts
Last updated
Was this helpful?
Last updated
Was this helpful?
Besides Sandbox hosts it is also possible to add a cloud account to a sandbox environment. Cloud accounts are dedicated accounts on the major hyper scalers (AWS, Azure and GCP).
When adding such an account to a sandbox enviroment, Instruqt will provision a temporary account on the configured provider with matching credentials, for every sandbox instance that gets started. This means every learner will be able to get access to a dedicated, private account for the duration of the sandbox.
Once the learner is done with the sandbox, the Instruqt platform will automatically revoke all credentials and will cleanup up any resources that were provisioned in the cloud account.
Cloud Accounts can lead to unexpected costs and risks. Be sure to secure your cloud account properly and read the section on and the following security sections specific to cloud account security:
For most intents and purposes, regular sandbox hosts are enough to enable learners about your product. However, in certain cases, you might need more resources or infrastructure to show what your product can do. Examples are:
Your product builds on top of Hyper Scaler services
Your product integrates with or orchestrates workflows on Hyper Scaler APIs
Your have complex infrastructure needs, like extensive network setups, or multi-cloud scenarios
Cloud providers offer hundreds of services across dozens of regions. Most of these services and regions are usable from with an Instruqt cloud account. However, most likely your sandbox only requires a small subset of those services and regions.
Instruqt allows you to specify which services and regions are allowed to be used within a sandbox. We strongly recommend to only enable the ones that you really need. Allowing too many services and regions opens up the possibility of (accidentally) generating high costs.
When adding a cloud account to a sandbox, that account is initially empty. Using our Lifecycle scripts you can preprovision resources in those accounts, to prepare the account for usage by a learner. Typically the permissions you need to preprovision these resources, are more than the permissions a learner needs to consume the cloud account.
For this purpose, you can specify two sets of credentials:
Admin credentials These are only injected into lifecycle scripts, used for preprovisioning resources
User credentials These are exposed to learners, used to give users access to cloud accounts
For both types of credentials, we strongly recommend to configure the minimum required permissions. So instead of giving Full Admin permissions, consider using service specific permissions, or even Read Only access where possible.