US 12,335,347 B2
Cross-cloud workload identity virtualization
Doron Grinstein, Santa Rosa Valley, CA (US); Julian Vassev, Sofia Bulgaria (BG); and Dan Wilson, Bellevue, WA (US)
Assigned to CONTROL PLANE CORPORATION, Santa Rosa Valley, CA (US)
Filed by Control Plane Corporation, Santa Rosa Valley, CA (US)
Filed on Dec. 18, 2023, as Appl. No. 18/543,683.
Application 18/543,683 is a division of application No. 18/150,015, filed on Jan. 4, 2023.
Application 18/150,015 is a division of application No. 16/942,253, filed on Jul. 29, 2020, granted, now 11,848,998, issued on Dec. 19, 2023.
Prior Publication US 2024/0121316 A1, Apr. 11, 2024
Int. Cl. H04L 9/32 (2006.01); G06F 9/455 (2018.01); H04L 9/40 (2022.01); H04L 67/51 (2022.01)
CPC H04L 67/51 (2022.05) [G06F 9/45558 (2013.01); H04L 63/0853 (2013.01); G06F 2009/4557 (2013.01); G06F 2009/45595 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A non-transitory computer readable medium comprising a program stored thereon for execution by a computer processor, the program including instructions to:
route a first network call that originates from a workload in a first cloud computing environment provided by a first cloud provider and that is addressed to a first cloud computing environment instance metadata service (IMS) identified by destination data comprising an internet protocol (IP) address of 169.254.169.254 to a universal IMS (UIMS) different from the first cloud computing environment IMS and running on the first cloud computing environment, wherein the workload is configured to access the first cloud computing environment using first access credentials, wherein routing the first network call to the UIMS causes the UIMS to send a first request from the first cloud computing environment to a second cloud computing environment in response to the first network call requesting credentials from the second cloud computing environment associated, at the second cloud computing environment, with an identity of the workload, and wherein a second cloud service operates on the second cloud computing environment, which is different from the first cloud computing environment and is provided by a second cloud provider different from the first cloud provider;
route a second network call that originates from the workload and that is addressed to a destination other than the first cloud computing environment IMS to a destination indicated by the second network call;
acquire second access credentials that are retrieved by the UIMS from the second cloud computing environment in response to the first request, wherein the second access credentials are separate from the first access credentials and that are valid for accessing a cloud service provided in the second cloud computing environment, wherein the second access credentials are invalid for accessing the first cloud computing environment; and
respond, in response to acquisition of the second access credentials, to the first network call with the second access credentials;
wherein the workload is operable, within the first cloud computing environment to access the cloud service of the second cloud computing environment using the second access credentials, and wherein the workload is further operable to access, within a third cloud computing environment different from the first cloud computing environment, the cloud service of the second cloud computing environment.