Instruqt Docs
  • 🚩Getting started
    • Overview
    • Setting up
      • Study Room
    • Quickstart
  • 🛤️Tracks
    • Manage tracks
      • Create tracks
      • Edit locally
      • Test tracks
      • Track logs
      • Track time limits
      • Track feedback
      • Developer workflow
      • Track tags
      • Track authors
      • Delete tracks
      • Custom layouts
      • Version control
      • Loading experience
    • Challenges
      • Create challenges
      • Challenge tabs
      • Challenge order
      • Skip challenges
      • Add quizzes
      • Assignment display
      • Assignment editor
    • Share tracks
      • Live Events
        • Instructor tools
      • Track invites
      • Embed tracks
      • Landing pages
  • 🏖️Sandboxes
    • Overview
    • Sandbox hosts
      • Add hosts
      • Custom VM images
      • Custom container images
      • Public images
      • Windows VMs
      • Website service
      • SSL certificates
    • Cloud accounts
      • Securing your cloud accounts
      • Cloud Client
      • AWS accounts
        • AWS Environment Variables
        • AWS Managed Policies
        • AWS IAM Policies
        • AWS SCP Policies
      • Azure subscriptions
        • Azure Environment Variables
        • Azure Roles
        • Azure Resource Providers
      • GCP projects
        • GCP Environment Variables
        • GCP IAM Permissions
    • Lifecycle scripts
      • Scripting overview
      • Track scripts
      • Challenge scripts
      • Example scripts
      • Helper scripts
    • UI Checks
    • Global Sandbox Settings
      • Hot start
      • Sandbox presets
      • Custom resources
      • Cloud services and regions
        • Allowed services and regions
    • Secrets and variables
      • Runtime variables
      • Runtime parameters
      • Secrets
  • ⚙️Settings
    • Integrations
      • Salesforce (Beta)
      • HubSpot (Beta)
      • HubSpot (Using zapier)
      • LTI
      • Version control
        • GitHub
    • Authentication
      • SSO
      • API keys
    • Platform
      • API
      • Webhooks
      • Track limits
  • 💡Reference
    • Feature overview
    • Instruqt CLI
      • Commands
      • Configuration files
      • Assets
    • Instruqt platform
      • Networking
      • Host machine types
      • Quotas and limits
      • Roles and permissions
      • Network access
      • Requirements
  • 🛟Resources
    • Content design tips
    • Advanced use cases
    • Templates
    • FAQ
      • Running Windows Client Hosts on Instruqt
      • Using Cleanup Scripts in SaaS and Cloud Environments
      • Instruqt Regional Configurations and Restrictions
      • Troubleshooting Instruqt CLI Authentication Issues
      • Copy a Track from One Organization to Another via CLI
      • Network Configuration: IP and MAC Address Control
      • Container Troubleshooting in Instruqt
Powered by GitBook
On this page
  • What is a cloud account?
  • Cloud Account Security
  • When to use a cloud account?
  • Considerations for adding cloud accounts
  • Services and Regions
  • Roles and permissions
  • Available Cloud Providers

Was this helpful?

Edit on GitHub
  1. Sandboxes

Cloud accounts

PreviousSSL certificatesNextSecuring your cloud accounts

Last updated 1 month ago

Was this helpful?

What is a cloud account?

Besides Sandbox hosts it is also possible to add a cloud account to a sandbox environment. Cloud accounts are dedicated accounts on the major hyper scalers (AWS, Azure and GCP).

When adding such an account to a sandbox enviroment, Instruqt will provision a temporary account on the configured provider with matching credentials, for every sandbox instance that gets started. This means every learner will be able to get access to a dedicated, private account for the duration of the sandbox.

Once the learner is done with the sandbox, the Instruqt platform will automatically revoke all credentials and will cleanup up any resources that were provisioned in the cloud account.

Cloud Account Security

Cloud Accounts can lead to unexpected costs and risks. Be sure to secure your cloud account properly and read the section on and the following security sections specific to cloud account security:

When to use a cloud account?

For most intents and purposes, regular sandbox hosts are enough to enable learners about your product. However, in certain cases, you might need more resources or infrastructure to show what your product can do. Examples are:

  • Your product builds on top of Hyper Scaler services

  • Your product integrates with or orchestrates workflows on Hyper Scaler APIs

  • Your have complex infrastructure needs, like extensive network setups, or multi-cloud scenarios

Considerations for adding cloud accounts

Services and Regions

Cloud providers offer hundreds of services across dozens of regions. Most of these services and regions are usable from with an Instruqt cloud account. However, most likely your sandbox only requires a small subset of those services and regions.

Instruqt allows you to specify which services and regions are allowed to be used within a sandbox. We strongly recommend to only enable the ones that you really need. Allowing too many services and regions opens up the possibility of (accidentally) generating high costs.

Roles and permissions

When adding a cloud account to a sandbox, that account is initially empty. Using our Lifecycle scripts you can preprovision resources in those accounts, to prepare the account for usage by a learner. Typically the permissions you need to preprovision these resources, are more than the permissions a learner needs to consume the cloud account.

For this purpose, you can specify two sets of credentials:

  • Admin credentials These are only injected into lifecycle scripts, used for preprovisioning resources

  • User credentials These are exposed to learners, used to give users access to cloud accounts

For both types of credentials, we strongly recommend to configure the minimum required permissions. So instead of giving Full Admin permissions, consider using service specific permissions, or even Read Only access where possible.

Available Cloud Providers

🏖️
securing your cloud accounts
AWS Managed Policies
AWS IAM Policies
AWS SCP Policies
Azure Roles
GCP IAM Permissions
Global Cloud Services and Regions
AWS accounts
Azure subscriptions
GCP projects