Cloud.gov Account Management
Overview
Cloud.gov provides secure access through agency single sign-on (SSO) or Cloud.gov accounts with multi-factor authentication. Federal employees and contractors working on federal systems can obtain access through their agency's identity provider or by creating a Cloud.gov account. This guide covers account setup, authentication methods, and responsible use policies required for platform access.
Prerequisites
- Federal Government Email: .gov, .mil, or .fed.us address for automatic access
- Agency SSO (if available): Check the login page for integrated agencies
- For Contractors: Federal employee must invite you to their organization
- Authentication Tools:
- PIV/CAC card reader (for agency SSO)
- TOTP authenticator app (for Cloud.gov accounts)
Process / Steps
Determine Your Access Method
Option 1: Agency Single Sign-On
If your agency is listed on the login page:
- Select your agency's button
- Authenticate with PIV/CAC or agency credentials
- Automatic access is granted to a sandbox account
Option 2: Login.gov Account
If you have a PIV/CAC and your agency is not listed on the login page:
- Select
Sign in with Login.govon the login page - Click the link
Sign in with your government employee ID - Automatic access is granted to a sandbox
Option 3: Cloud.gov Account
For agencies without SSO integration:
- Visit https://account.fr.cloud.gov/signup
- Enter your federal email address
- Set up password and TOTP authentication, continue on to Setting up Cloud.gov accounts
Obtain account permissions
Shortly after logging in for the first time with any of the options above, your account will have access to a Cloud.gov Sandbox account. Continue on to setting up the CLI and targeting your sandbox to deploy your first application.
If you are looking for access to your agency's Cloud.gov organization, follow the instructions on managing roles via the dashboard. You will need an organization manager to add you to the appropriate spaces and roles.
Setting up Cloud.gov accounts
If you are using your Agency Single Sign-on or Login.gov, no additional configuration is necessary. The steps below are only needed if you are using a Cloud.gov login.
After logging in the first time at https://account.fr.cloud.gov/signup:
1. Configure Multi-Factor Authentication
For Cloud.gov accounts, configure TOTP using:
- Recommended (with backup/sync):
- Basic (device-only):
- Google Authenticator
- Any RFC 6238-compliant app
2. Request Organization Access
Follow these steps:
- Go to log into your cloud.gov account at https://login.fr.cloud.gov
- Click on Forgot your password? link to reset your password
- Enter your email address into the
Email addressinput and click SEND EMAIL to receive the reset password confirmation email - Go to your email and click on the verification link in the first step of that email
- Enter your email address in the
Email addressinput on the reset password verification page and click VERIFY EMAIL - Your email is verified and then copy/save the temporary password under the
Your temporary password. - Login to your cloud.gov account at https://login.fr.cloud.gov/ with the new temporary password
- After logging in, go to https://account.fr.cloud.gov/change-password to
change the password
- Enter the temporary password into the
Old Passwordinput - Then create and enter the new password into
New Passwordinput and confirm it in theRepeat New Passwordinput - Finally, click CHANGE
- Enter the temporary password into the
3. Maintain Account Security
Customer Responsibility:
- Protect authentication credentials
- Report suspicious activity to support@cloud.gov
- Log out when sessions complete
- Update passwords every 90 days (Cloud.gov accounts)
4. Follow Responsible Use Policy
If you need to set up a new authentication application, such as if you lose your phone, email support@cloud.gov so that we can allow you to set up a new one. We'll follow this process to mitigate the risk of requests from compromised email addresses:
Authorized uses include:
- Building and managing government digital services
- Testing and learning Cloud.gov capabilities
- Contributing to platform development
Prohibited activities:
- Processing classified information
- Sharing account credentials
- Unauthorized data access
- Circumventing security controls
Common Errors & Fixes
SSO Login Failures
- Issue: PIV/CAC not recognized
- Fix: Ensure card reader drivers updated and browser compatible
TOTP Token Invalid
- Issue: Authentication code rejected
- Fix: Verify device time synchronized; codes expire in 30 seconds
Password Reset Needed
- Issue: Forgotten password or "Password has expired" error
- Fix: Follow these steps:
- Go to log into your cloud.gov account at https://login.fr.cloud.gov
- Click on Forgot your password? link to reset your password
- Enter your email address into the
Email addressinput and click SEND EMAIL to receive the reset password confirmation email - Go to your email and click on the verification link in the first step of that email
- Enter your email address in the
Email addressinput on the reset password verification page and click VERIFY EMAIL - Your email is verified and then copy/save the temporary password under the
Your temporary password. - Login to your cloud.gov account at https://login.fr.cloud.gov/ with the new temporary password
- After logging in, go to https://account.fr.cloud.gov/change-password to
change the password
- Enter the temporary password into the
Old Passwordinput - Then create and enter the new password into
New Passwordinput and confirm it in theRepeat New Passwordinput - Finally, click CHANGE
- Enter the temporary password into the
Cannot Log In - "SAML user does not exist" or other authentication error.
- Issue: Attempting to log in after 90 days of inactivity results in a SAML error or an authentication request error when using the Cloud.gov authentication provider.
- Fix: Your account may have been deactivated due to lack of use. Unless you're a sandbox-only account user, your org manager must request a reactivation of your user account. Have your org manager send a request to support@cloud.gov with the name and email address for the account that needs to be reactivated.
Lost TOTP Device
- Issue: Cannot generate authentication codes
- Fix: Email support@cloud.gov with:
I need to set up a new authentication application. I understand this means the contents of my sandbox space will be deleted if I have one, and that you will remove my permissions to other spaces and orgs.
FAQs
Q: How quickly can I get access? A: Federal email addresses get immediate sandbox access. Production access requires IAA/MOU coordination.
Q: Can consultants get their own accounts? A: Yes, if working on federal systems. Federal employee must invite them to the organization.
Q: What happens to my account when I leave? A: Federal leads should remove
departing users: cf unset-org-role USER-EMAIL ORG ROLE
Q: How do I report security concerns? A: Email support@cloud.gov immediately with details of suspicious activity.
Q: Can I use hardware tokens instead of TOTP? A: Not currently. Cloud.gov accounts require TOTP apps. Agency SSO may support PIV/CAC or FIDO tokens.