Cloud accounts

What is a cloud account?

Besides Sandbox hosts it is also possible to add a cloud account to a sandbox environment. Cloud accounts are dedicated accounts on the major hyper scalers (AWS, Azure and GCP).

When adding such an account to a sandbox enviroment, Instruqt will provision a temporary account on the configured provider with matching credentials, for every sandbox instance that gets started. This means every learner will be able to get access to a dedicated, private account for the duration of the sandbox.

Once the learner is done with the sandbox, the Instruqt platform will automatically revoke all credentials and will cleanup up any resources that were provisioned in the cloud account.

When to use a cloud account?

For most intents and purposes, regular sandbox hosts are enough to enable learners about your product. However, in certain cases, you might need more resources or infrastructure to show what your product can do. Examples are:

  • Your product builds on top of Hyper Scaler services

  • Your product integrates with or orchestrates workflows on Hyper Scaler APIs

  • Your have complex infrastructure needs, like extensive network setups, or multi-cloud scenarios

Considerations for adding cloud accounts

Services and Regions

Cloud providers offer hundreds of services across dozens of regions. Most of these services and regions are usable from with an Instruqt cloud account. However, most likely your sandbox only requires a small subset of those services and regions.

Instruqt allows you to specify which services and regions are allowed to be used within a sandbox. We strongly recommend to only enable the ones that you really need. Allowing too many services and regions opens up the possibility of (accidentally) generating high costs.

Roles and permissions

When adding a cloud account to a sandbox, that account is initially empty. Using our Lifecycle scripts you can preprovision resources in those accounts, to prepare the account for usage by a learner. Typically the permissions you need to preprovision these resources, are more than the permissions a learner needs to consume the cloud account.

For this purpose, you can specify two sets of credentials:

  • Admin credentials These are only injected into lifecycle scripts, used for preprovisioning resources

  • User credentials These are exposed to learners, used to give users access to cloud accounts

For both types of credentials, we strongly recommend to configure the minimum required permissions. So instead of giving Full Admin permissions, consider using service specific permissions, or even Read Only access where possible.

Available Cloud Providers

AWS accountsAzure subscriptionsGCP projects

Last updated