A cloud infrastructure performs governance and security control for datacenters on a cloud platform. The system specifies one or more session policies for the plurality of datacenters. A session policy associated with a datacenter specifies a set of access conditions for accessing the entities of the datacenter, and may be generated based at least on the network information in the declarative specification for the datacenter, and network artifacts from provisioning the network resources for the datacenter. Responsive to receiving a request to access an entity of a datacenter from a user, the system obtains credentials for the user and attaches the session policies. Responsive to determining that the credentials are used to access the datacenter from a set of access conditions that match the set of access conditions in the attached session policy, the cloud platform grants access.