# Cloud accounts ## What is a cloud account? Besides [hosts](https://docs.instruqt.com/sandboxes/hosts "mention") it is also possible to add a cloud account to a sandbox environment. Cloud accounts are dedicated accounts on the major hyper scalers (AWS, Azure and GCP). When adding such an account to a sandbox enviroment, Instruqt will provision a temporary account on the configured provider with matching credentials, for every sandbox instance that gets started. This means every learner will be able to get access to a dedicated, private account for the duration of the sandbox. Once the learner is done with the sandbox, the Instruqt platform will automatically revoke all credentials and will cleanup up any resources that were provisioned in the cloud account. ## Cloud Account Security {% hint style="danger" %} **Cloud Accounts can lead to unexpected costs and risks.** Be sure to secure your cloud account properly and read the section on [securing your cloud accounts](https://docs.instruqt.com/sandboxes/cloud-accounts/securing-your-cloud-accounts) and the following security sections specific to cloud account security:
* [AWS Managed Policies](https://docs.instruqt.com/sandboxes/cloud-accounts/aws-accounts/aws-managed-policies) * [AWS IAM Policies](https://docs.instruqt.com/sandboxes/cloud-accounts/aws-accounts/aws-iam-policies) * [AWS SCP Policies](https://docs.instruqt.com/sandboxes/cloud-accounts/aws-accounts/aws-scp-policies) * [Azure Roles](https://docs.instruqt.com/sandboxes/cloud-accounts/azure-subscriptions/azure-roles) * [GCP IAM Permissions](https://docs.instruqt.com/sandboxes/cloud-accounts/gcp-projects/gcp-iam-permissions) * [Global Cloud Services and Regions](https://docs.instruqt.com/sandboxes/manage/cloud-services-and-regions) {% endhint %} ## When to use a cloud account? For most intents and purposes, regular sandbox hosts are enough to enable learners about your product. However, in certain cases, you might need more resources or infrastructure to show what your product can do. Examples are: * Your product builds on top of Hyper Scaler services * Your product integrates with or orchestrates workflows on Hyper Scaler APIs * Your have complex infrastructure needs, like extensive network setups, or multi-cloud scenarios ## Considerations for adding cloud accounts ### Services and Regions Cloud providers offer hundreds of services across dozens of regions. Most of these services and regions are usable from with an Instruqt cloud account. However, most likely your sandbox only requires a small subset of those services and regions. Instruqt allows you to specify which services and regions are allowed to be used within a sandbox. We strongly recommend to only enable the ones that you really need. Allowing too many services and regions opens up the possibility of (accidentally) generating high costs. ### Roles and permissions When adding a cloud account to a sandbox, that account is initially empty. Using our [lifecycle-scripts](https://docs.instruqt.com/sandboxes/lifecycle-scripts "mention") you can preprovision resources in those accounts, to prepare the account for usage by a learner. Typically the permissions you need to preprovision these resources, are more than the permissions a learner needs to consume the cloud account. For this purpose, you can specify two sets of credentials: * Admin credentials\ These are only injected into lifecycle scripts, used for preprovisioning resources * User credentials\ These are exposed to learners, used to give users access to cloud accounts For both types of credentials, we strongly recommend to configure the minimum required permissions. So instead of giving Full Admin permissions, consider using service specific permissions, or even Read Only access where possible. ## Available Cloud Providers {% content-ref url="cloud-accounts/aws-accounts" %} [aws-accounts](https://docs.instruqt.com/sandboxes/cloud-accounts/aws-accounts) {% endcontent-ref %} {% content-ref url="cloud-accounts/azure-subscriptions" %} [azure-subscriptions](https://docs.instruqt.com/sandboxes/cloud-accounts/azure-subscriptions) {% endcontent-ref %} {% content-ref url="cloud-accounts/gcp-projects" %} [gcp-projects](https://docs.instruqt.com/sandboxes/cloud-accounts/gcp-projects) {% endcontent-ref %}