diff --git a/atst/domain/csp/cloud.py b/atst/domain/csp/cloud.py
index d624d9b6..3b071b8d 100644
--- a/atst/domain/csp/cloud.py
+++ b/atst/domain/csp/cloud.py
@@ -8,6 +8,12 @@ class CloudProviderInterface:
         """
         raise NotImplementedError()
 
+    def create_user(self, user):  # pragma: no cover
+        """Create an account in the CSP for specified user. Returns the ID of
+        the created user.
+        """
+        raise NotImplementedError()
+
     def create_role(self, environment_role):  # pragma: no cover
         """Takes an `atst.model.EnvironmentRole` object and allows the
         specified user access to the specified cloud entity.
@@ -39,6 +45,10 @@ class MockCloudProvider(CloudProviderInterface):
         cloud."""
         return uuid4().hex
 
+    def create_user(self, user):
+        """Returns an id that represents what would be an user in the cloud."""
+        return uuid4().hex
+
     def create_role(self, environment_role):
         # Currently, there is nothing to mock out, so just do nothing.
         pass
@@ -48,9 +58,9 @@ class MockCloudProvider(CloudProviderInterface):
         pass
 
     def get_access_token(self, environment_role):
-        # for now, just create a mock token using the user and environement
+        # for now, just create a mock token using the user and environment
         # cloud IDs and the name of the role in the environment
-        user_id = str(environment_role.user.id)
+        user_id = environment_role.user.cloud_id or ""
         env_id = environment_role.environment.cloud_id or ""
         role_details = environment_role.role
         return "::".join([user_id, env_id, role_details])
diff --git a/atst/domain/environment_roles.py b/atst/domain/environment_roles.py
index 012ceabd..d5200ac4 100644
--- a/atst/domain/environment_roles.py
+++ b/atst/domain/environment_roles.py
@@ -8,6 +8,8 @@ class EnvironmentRoles(object):
     @classmethod
     def create(cls, user, environment, role):
         env_role = EnvironmentRole(user=user, environment=environment, role=role)
+        if not user.cloud_id:
+            user.cloud_id = app.csp.cloud.create_user(user)
         app.csp.cloud.create_role(env_role)
         return env_role
 
diff --git a/tests/domain/test_environments.py b/tests/domain/test_environments.py
index edd2f1c1..0095fa2c 100644
--- a/tests/domain/test_environments.py
+++ b/tests/domain/test_environments.py
@@ -12,6 +12,28 @@ def test_create_environments():
         assert env.cloud_id is not None
 
 
+def test_create_environment_role_creates_cloud_id(session):
+    owner = UserFactory.create()
+    developer = UserFactory.from_atat_role("developer")
+
+    workspace = WorkspaceFactory.create(
+        owner=owner,
+        members=[{"user": developer, "role_name": "developer"}],
+        projects=[{"name": "project1", "environments": [{"name": "project1 prod"}]}],
+    )
+
+    env = workspace.projects[0].environments[0]
+    new_role = [{"id": env.id, "role": "developer"}]
+
+    workspace_role = workspace.members[0]
+    assert not workspace_role.user.cloud_id
+    assert Environments.update_environment_roles(
+        owner, workspace, workspace_role, new_role
+    )
+
+    assert workspace_role.user.cloud_id is not None
+
+
 def test_update_environment_roles():
     owner = UserFactory.create()
     developer = UserFactory.from_atat_role("developer")