Managing Cloud Accounts¶
Monitor budgets, control access, and manage cloud resources across the Supercloud.
Overview¶
Cloud Accounts are a central cloud operations governance resource, representing connections to cloud provider accounts (AWS accounts, Azure subscriptions, GCP projects, and Alibaba Cloud accounts). RosettaOps provides automated account vending -- creating pre-configured, sandboxed cloud accounts on demand -- along with full lifecycle management. Each cloud account:
- Has secure credential storage
- Has individual budget and usage tracking with real-time cost monitoring
- Is fully monitored for resource usage and costs
- Is sandboxed with guardrails to prevent unauthorized usage
Account Assignment Models¶
Cloud accounts can be assigned in two ways:
| Model | Description | Use Case |
|---|---|---|
| User-dedicated accounts | Each user receives their own cloud account(s) with personal budgets and credentials | Individual researchers, developers, or students who need direct cloud access |
| Project accounts | Cloud accounts are assigned to a project and shared by project members | Team-based work where resources and costs are tracked at the project level |
Both models coexist within the same organization. A user can have their own dedicated cloud accounts and access to project-level accounts simultaneously.
Access Actions¶
| Action | Description |
|---|---|
| Enable | Enable access to the cloud account and RosettaHub artifacts |
| Disable | Disable access to the cloud account and RosettaHub artifacts |
| Quarantine | Disable access with manual-only restoration (AWS only) |
| Unquarantine | Remove from quarantine (must also Enable for access) |
| Detach and Cleanup | Clean account and return to pool for reassignment |
Quarantine
Quarantined accounts require manual intervention to restore. Use this for security incidents or policy violations.
Resource Actions¶
Cloud accounts support bulk resource actions -- Stop All, Terminate All, and Cleanup All -- each filterable by service and region. See Resource Management for full details on actions, filtering, and safeguards.
Budget Actions¶
Transfer Budget¶
Transfer budget to one or more cloud accounts:
- Select the target cloud accounts
- From the Actions menu, select Budget → Transfer Budget
- Enter the amount to transfer
- Click Transfer
Reverse Transfer¶
Retrieve budget from cloud accounts back to your account:
- Select cloud accounts with available budget
- Choose Budget → Reverse Transfer
- Specify amount to retrieve
Note
Reverse transfer requires special permissions. Contact support if you need this capability.
Billing Configuration¶
| Action | Description |
|---|---|
| Set Billing Code | Assign a billing code for cost tracking |
| Set Purchase Order | Associate with a purchase order |
Superuser Actions¶
These actions require SUPERUSER role:
| Action | Description |
|---|---|
| Go To Cloud Console | Open the provider's native console |
| Masquerade as | Log in as the account owner |
| Masquerade as (show all) | Masquerade with full feature visibility |
| Update password | Change the account owner's password |
| Reset All Keys | Reset all access keys for IAM users/GCP service accounts |
| Reset RosettaHub Keys | Reset keys linked to RosettaHub |
| Create Rate Task | Schedule rate-based automation |
| Create Cron Task | Schedule cron-based automation |
Organization Actions¶
Managers can add or remove cloud accounts from sub-organizations where they have ADMIN or SUPERUSER roles.
| Action | Description |
|---|---|
| Add to Organization | Assign cloud account to an organization |
| Remove from Organization | Remove cloud account from organization |
Email Actions¶
| Action | Description |
|---|---|
| Send Credentials | Send password reset link to account holder |
| Update Email | Change the account's email address |
Permission Actions¶
| Action | Description |
|---|---|
| Set Limits | Configure maximum instances, storage sizes, etc. |
| Assign Roles to User | Set region, service, and instance type permissions |
Pool Management¶
Anonymous Generic Accounts¶
Organizations can maintain a pool of cloud accounts with anonymous identifiers for temporary access scenarios:
Use Cases:
- Hackathons
- Training courses outside your organization
- Temporary project teams
- Guest access
Pool Actions:
| Action | Description |
|---|---|
| Get Credentials as CSV | Export account credentials to CSV |
| Reset Users Passwords | Bulk password reset |
| Reset Users Emails | Reset to RosettaHub emails |
Pool Workflow¶
After a temporary event (hackathon, course):
- Reset all passwords for the pool accounts
- Reset emails to anonymous RosettaHub addresses
- Run Cleanup All to remove resources and data
- Accounts are ready for reassignment
Monitoring & Visibility¶
Cloud accounts are monitored using:
| Provider | Monitoring Tools |
|---|---|
| AWS | Lambda, CloudWatch, CloudTrail |
| GCP | Cloud Functions, Alerts, Sinks |
| Azure | Functions, Monitor, Activity Logs |
Key Metrics¶
- Budget consumption
- Resource allocation
- Instance counts
- Storage usage
- Cost trends
Best Practices¶
Budget Management
- Set conservative initial budgets
- Monitor consumption weekly
- Use billing codes for cost attribution
- Set up alerts before budget exhaustion
Security
- Quarantine accounts immediately on security incidents
- Regularly rotate access keys
- Review cloud console access logs
- Use least-privilege permissions
Resource Management
- Schedule Stop All for non-production accounts outside business hours
- Use Cleanup All before reassigning accounts from pools
- Document account assignments and ownership
Related Topics¶
- Cloud Operations Overview - The governance layer of the Supercloud
- Managing Users
- Managing Organizations
- Managing Projects