Skip to content

BYOA (Bring Your Own Account)

There are many applications that needs to be deployed in customers account due to security and cost reasons. Your customers may prefer to not move the data in your account and want you to deploy your app(s) in their account.

From your perspective, you will have to manage hundreds or thousands of these accounts. This is how the setup may look like:

BYOA image

The challenge is that deploying in your customers account requires manual coordination, sharing of credentials and a lot of operational pain. We have automated the entire process and made it simple to operate in a secure way.


There are several variants of BYOA mode in the industry and they are all somewhat related.

  • Bring Your Own Account (BYOA) - in this mode, your customers' brings their account
  • Bring Your Own Cloud (BYOC) - same as above, where your customers' bring their cloud account
  • Bring Your Own VPC - in this mode, your customer brings a specific VPC to deploy and manage your application

We support different variants of BYOA for you to NOT worry about the complexity of the underlying infrastructure

How to enable BYOA

Compose spec

If you are using compose spec, you can add the following to your compose to configure your provider account:

  AwsAccountId: '123456789012' # random account number
  AwsBootstrapRoleAccountArn: 'arn:aws:iam::123456789012:role/omnistrate-bootstrap-role'
  GcpProjectId: 'omnistrate-internal'
  GcpProjectNumber: '1234567890123'
  GcpServiceAccountEmail: '[email protected]'


Please don't forget to replace the account numbers, project id and other information with your own account information


If you are using APIs, please refer to this page


  • To configure your customer's account using Terraform, you need to follow this video guide
  • To configure your customer's account using Cloud Formation, you need to follow this video guide

BYOA architecture

BYOA architecture

As discussed here, we build a trust relationship between your account and your customers account to allow you to automate the setup. Once setup, system uses the industry standard secure techniques to reverse the connection to prevent any inbound connections to your customers' account (except while configuring their account during setup), encrypted channel through TLS and oauth tokens to secure the connectivity between your customers account and your account.

If your customers wants to also disable any outbound data, they can also achieve that by updating the IAM permission set. Please reach out to for any questions on this front.

BYOA in action

Omnistrate makes it easy to manage resource instances across the fleet

View for your customers

BYOA Access

Internal view for your teams

BYOA Fleet

Demo video

Here is a demo video on PostgreSQL BYOA DBaaS: Watch the video

Bring Your Own VPC (BYO-VPC)

If you are running your SaaS in BYOA mode, your customers can bring their own VPC and Omnistrate will deploy your Dataplane in their VPC.


To use BYO-VPC, your customer has to first create the VPC and subnets with the following requirements:

  • The VPC needs to enable DNS hostnames and DNS resolution, please refer to this page
  • Public NAT gateway is required in the VPC to pull docker image from repository, also make sure all private subnets route tables have an entry to this NAT gateway, please refer to this page
  • The public subnet needs to have auto-assign public IPv4 address enabled, please refer to this page
  • All private subnets need to have tag with value 1 and public subnets need to have tag with value 1, please refer to this page

How to get started

When creating an instance, your customer can specify VPC id as value of cloud_provider_native_network_id input parameter, and rest of things will be same as regular BYOA experience.