Cloud Accounts, Scopes, and IAM¶

Intermediate 15 minutes

Overview¶

Cloud accounts connect RosettaHub to your AWS, Azure, GCP, or Alibaba Cloud infrastructure. Scopes define resource quotas and spending limits for users. In this tutorial you will manage cloud accounts, configure scopes, and work with IAM users and roles.

Prerequisites¶

[ ] Completed Getting Started with the CLI
[ ] Organization admin or manager privileges
[ ] At least one cloud account connected

Steps¶

Step 1: List Cloud Accounts¶

The cloud account command uses the short name acc:

rh acc ls

List accounts you own:

rh acc ls-owned

List accounts that can be assigned:

rh acc ls-assignable

Step 2: Browse a Cloud Account¶

Open a cloud account in the browser:

rh acc browse -c <cloudAccountUid>

Browse multiple accounts at once:

rh acc browse -c <uid1> -c <uid2>

Step 3: Cloud Account Operations¶

View cost information:

rh acc costs <cloudAccountUid>

List machines running under an account:

rh acc ls-machines <cloudAccountUid>

Set budget for an account:

rh acc set-budget <cloudAccountUid>

Stop or terminate all resources:

rh acc stop-all <cloudAccountUid>
rh acc terminate-all <cloudAccountUid>

Warning

terminate-all is destructive and will remove all running resources under the account.

Step 4: AWS CLI Integration¶

Configure and use the AWS CLI through RosettaHub:

rh acc configure-aws-cli <cloudAccountUid>
rh acc execute-aws-cli <cloudAccountUid>
rh acc purge-aws-cli <cloudAccountUid>

Get console access URL:

rh acc get-console-url <cloudAccountUid>

Step 5: Manage IAM Users and Roles¶

List and create IAM users:

rh iam-user ls
rh iam-user create --label "data-scientist-01"

List and create IAM roles:

rh iam-role ls
rh iam-role create --label "ReadOnly Analyst"

Assign a cloud account to a user:

rh user assign-cloud-account <username>

Step 6: List Scopes¶

Scopes control what resources users can create and how much they can spend:

rh scope ls

Step 7: Create a Scope¶

rh scope create --label "Student Scope" --description "Limited resources for students"

Clone an existing scope:

rh scope clone <scopeUid>

Step 8: Set Resource Quotas¶

Control how many of each resource type a user can create:

rh scope update-quotas <scopeUid> \
  --formation-quota 5 \
  --session-quota 10 \
  --image-quota 3 \
  --storage-quota 5

Step 9: Set Resource Limits¶

Control maximum spend and resource sizes:

rh scope update-limits <scopeUid> \
  --maximum-hourly-cost 10.0 \
  --maximum-compute-instances 4 \
  --maximum-block-storage-size 500 \
  --maximum-autostop-timeout 480

Step 10: Restrict Instance Types¶

Limit which instance types are available:

rh scope update-instance-types <scopeUid> \
  --ram-quota aws=64,azure=32 \
  --allowed-instance-types "aws:t3.micro,t3.small,m5.large;azure:Standard_B2s"

Next Steps¶

Compliance and Cloud Custodian — enforce policies across accounts
Automation with Cron Jobs — schedule account operations

Troubleshooting¶

Cannot see cloud accounts

Cloud account visibility depends on your role. Managers and admins see accounts they manage. Regular users see only assigned accounts.

Scope quotas not taking effect

Ensure the scope is assigned to the target users. Scopes must be linked to take effect.

What is the difference between quotas and limits?

Quotas control the number of resources (e.g., max 5 formations). Limits control the size or cost of resources (e.g., max 500 GB storage, max $10/hour).