Skip to content
Instruqt Lab Documentation

Cloud Credentials

The cloud_credentials resource creates a tab that displays cloud provider credentials in your lab interface. It consolidates credentials from AWS, Google Cloud, and Azure resources into a single, user-friendly view.

Use Cases

Section titled “Use Cases”

As a lab author, you can use cloud_credentials resources to:

  • Centralized Credential Display: Show all cloud credentials in one convenient tab
  • Multi-Cloud Labs: Display credentials from multiple cloud providers in a single interface
  • Selective Access: Expose only specific users or service accounts from your cloud resources

Cloud credentials tabs provide a clean interface for users to access their cloud provider credentials without needing to navigate to multiple locations.

HCL Syntax

Section titled “HCL Syntax”

Basic Syntax

Section titled “Basic Syntax”
resource "cloud_credentials" "my-credentials" {
  aws_account {
    target = resource.aws_account.my-aws-account
    users  = ["student"]
  }
}

Full Syntax

Section titled “Full Syntax”
resource "cloud_credentials" "multi-cloud-credentials" {
  aws_account {
    target = resource.aws_account.my-aws-account
    users  = ["admin", "developer"]
  }


  google_project {
    target           = resource.google_project.my-gcp-project
    users            = ["student"]
    service_accounts = ["automation-sa"]
  }


  azure_subscription {
    target             = resource.azure_subscription.my-azure-subscription
    users              = ["operator"]
    service_principals = ["deploy-sp"]
  }
}

Fields

Section titled “Fields”

The cloud_credentials resource has no top-level fields. All configuration is done through provider blocks.

Provider Blocks

Section titled “Provider Blocks”

aws_account Block

Section titled “aws_account Block”

cloud_credentials → aws_account

Displays credentials from an AWS Account resource:

FieldRequiredTypeDescription
targetreferenceReference to the aws_account resource
userslist(string)Names of IAM users whose credentials should be displayed

google_project Block

Section titled “google_project Block”

cloud_credentials → google_project

Displays credentials from a Google Cloud Project resource:

FieldRequiredTypeDescription
targetreferenceReference to the google_project resource
userslist(string)Names of users whose credentials should be displayed
service_accountslist(string)Names of service accounts whose credentials should be displayed

azure_subscription Block

Section titled “azure_subscription Block”

cloud_credentials → azure_subscription

Displays credentials from an Azure Subscription resource:

FieldRequiredTypeDescription
targetreferenceReference to the azure_subscription resource
userslist(string)Names of users whose credentials should be displayed
service_principalslist(string)Names of service principals whose credentials should be displayed

Validation Rules

Section titled “Validation Rules”
  • At least one provider block (aws_account, google_project, or azure_subscription) is required
  • aws_account blocks require at least one user in the users list
  • google_project blocks require at least one entry in either users or service_accounts
  • azure_subscription blocks require at least one entry in either users or service_principals
  • All user/account names must match names defined in the referenced cloud provider resource

Examples

Section titled “Examples”

Basic AWS Credentials

Section titled “Basic AWS Credentials”

Display credentials for a single AWS user:

resource "aws_account" "lab" {
  regions  = ["us-east-1"]
  services = ["ec2", "s3"]


  user "student" {
    managed_policies = [
      "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
    ]
  }
}


resource "cloud_credentials" "aws-creds" {
  aws_account {
    target = resource.aws_account.lab
    users  = ["student"]
  }
}

Multi-Cloud Credentials

Section titled “Multi-Cloud Credentials”

Display credentials from AWS, Google Cloud, and Azure in a single tab:

resource "aws_account" "aws" {
  regions  = ["us-east-1"]
  services = ["ec2", "s3"]


  user "aws-user" {
    managed_policies = [
      "arn:aws:iam::aws:policy/PowerUserAccess"
    ]
  }
}


resource "google_project" "gcp" {
  regions  = ["us-central1"]
  services = ["compute.googleapis.com", "storage.googleapis.com"]


  user "gcp-user" {
    roles = ["roles/editor"]
  }


  service_account "automation" {
    roles = ["roles/storage.admin"]
  }
}


resource "azure_subscription" "azure" {
  regions  = ["eastus"]
  services = ["Microsoft.Compute", "Microsoft.Storage"]


  user "azure-user" {
    roles = ["Contributor"]
  }
}


resource "cloud_credentials" "all-credentials" {
  aws_account {
    target = resource.aws_account.aws
    users  = ["aws-user"]
  }


  google_project {
    target           = resource.google_project.gcp
    users            = ["gcp-user"]
    service_accounts = ["automation"]
  }


  azure_subscription {
    target = resource.azure_subscription.azure
    users  = ["azure-user"]
  }
}

Selective User Exposure

Section titled “Selective User Exposure”

Display credentials for only some users from an account with multiple users:

resource "aws_account" "workshop" {
  regions  = ["us-east-1"]
  services = ["ec2", "s3", "iam"]


  user "instructor" {
    managed_policies = [
      "arn:aws:iam::aws:policy/AdministratorAccess"
    ]
  }


  user "student" {
    managed_policies = [
      "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
    ]
  }


  user "observer" {
    managed_policies = [
      "arn:aws:iam::aws:policy/ViewOnlyAccess"
    ]
  }
}


# Only show student credentials to lab users
resource "cloud_credentials" "student-creds" {
  aws_account {
    target = resource.aws_account.workshop
    users  = ["student"]
  }
}

Integration with Layout

Section titled “Integration with Layout”

Add Cloud Credentials tab to a layout:

resource "aws_account" "training" {
  regions  = ["us-east-1"]
  services = ["ec2", "s3"]


  user "student" {
    managed_policies = [
      "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
    ]
  }
}


resource "container" "workstation" {
  image {
    name = "ubuntu:latest"
  }
}


resource "terminal" "shell" {
  target = resource.container.workstation
}


resource "cloud_credentials" "credentials" {
  aws_account {
    target = resource.aws_account.training
    users  = ["student"]
  }
}


resource "layout" "main" {
  default = true


  instructions {}


  column {
    width = "100"


    tab "shell" {
      title  = "Shell"
      target = resource.terminal.shell
    }


    tab "aws-credentials" {
      title  = "AWS Credentials"
      target = resource.cloud_credentials.credentials
    }
  }
}

Best Practices

Section titled “Best Practices”
  1. Selective Exposure: Only expose credentials that users actually need for the lab
  2. Clear Naming: Use descriptive resource names that indicate the purpose (e.g., student-creds, admin-credentials)
  3. Single Tab: Consolidate all cloud credentials into a single Cloud Credentials tab rather than creating multiple tabs
  4. Security Awareness: Remember that displayed credentials are visible to lab users; only include credentials intended for their use
  5. Tab Placement: Consider placing the Cloud Credentials tab in an easily accessible location in your layout