Create a Cloud

Before plexsphere can provision anything, the platform needs a catalog to provision against: the Clouds it can reach, the Credentials that pay for them, and the Blueprints that describe what to build. The catalog starts empty on a fresh stack — nothing is pre-seeded — and curating it is the platform operator's job.

This lesson is the first of three that build that catalog. Here you create a Cloud: a provider account plexsphere can provision against. The next two lessons issue a Credential under it and register a Blueprint; then Provision a cloud Resource consumes all three.

This lesson takes about five minutes.

Before you start

This lesson is standalone: it does not build on the explore, build, or Group lessons. You only need a running, logged-in stack from Set up your local plexsphere, plus jq on your $PATH to read the new Cloud's id out of the JSON response.

You act as the platform operator throughout — operator@example.com, the seeded identity that holds the platform:plexsphere#admin authoring grant, so it is the one allowed to build the platform catalog. It signs in with the dev password password. See the tutorials overview for the full cast.

Recreate the shell environment and read the Acme Corp Domain id and its active IdP binding with make dev-ids — the operator sign-in needs both:

export PATH="$PWD/bin:$PATH"
export PLEXSPHERE_URL=http://localhost:8080

eval "$(make -s dev-ids)"
echo "domain=$DOMAIN_ID binding=$BINDING_ID"

Step 1 — Create the demo Cloud

Sign in as the platform operator and save the session under a named operator profile — they curate the catalog, so they are the identity allowed to build it. Run the login below, then complete sign-in in the browser as operator@example.com with the password password:

plexctl login --profile-name operator --domain-id "$DOMAIN_ID" --idp-binding-id "$BINDING_ID"

A Cloud is a provider account plexsphere can provision against; the Credential issued under it (the next lesson) is the vaulted secret that pays for it. Create the demo Cloud — the platform:plexsphere#admin grant the operator holds folds into the platform manage permission Cloud creation gates on:

CLOUD_ID=$(plexctl cloud create \
  --slug demo-cloud \
  --display-name "Demo Cloud" \
  --provider aws \
  --external-id 000000000000 \
  --endpoint '{"region":"us-east-1","partition":"aws"}' \
  --region-defaults '{"default_region":"us-east-1"}' \
  --profile operator --output json | jq -r '.id')
echo "$CLOUD_ID"

Creating a Cloud grants its creator manage on it — the relation issuing a credential authorises against. That grant reaches the authorization mirror a moment after the Cloud is created, so if the next lesson's credential issue returns Permission Denied, wait a second and re-run it.

What you learned

• A Cloud is a provider account plexsphere provisions against. It names the upstream account and its region defaults; the secret that pays for it is a separate Credential, issued under the Cloud in the next lesson.
• The catalog starts empty. Nothing is pre-seeded on a fresh stack, so the operator builds it — beginning with the Cloud, the residency pivot the credential and assignment gates later authorise against.
• Creating a Cloud grants the creator manage on it. That relation is what the credential-issue gate checks, and it reaches the authorization mirror a moment after creation.

Where to go next

• Keep learning by doing — Issue a Cloud Credential issues the vaulted secret that pays for the Cloud you just created.

Or pick the quadrant that matches what you need now:

• You have a job to do — the Manage Clouds how-to covers the operator runbook for creating, updating, and deleting Clouds.
• You want the exact contract — the plexctl cloud reference documents every flag and output shape.
• You want to understand why the catalog is shaped this way — the Cloud Inventory context explains the Cloud aggregate and its invariants.