Add an Account Cloud Access Role


Add an Account Cloud Access Role

Account cloud access roles grant access to specific accounts, instead of to specific users. With this role, you can stretch automation across accounts or easily federate from one account to another without re-authenticating. These are also known as cross-account access roles in AWS.

These accounts are AWS specific.

When you create a cloud access role on an OU, it will be available on all descendant resources. Inherited cloud access roles are unique in that they are not affected by cloud rules applied on descendant resources. This allows you to apply consistent controls across the organization. For more information, see Cloud Access Role Inheritance and Exemption.

You will need to add an account to at least one project before you can create a cloud access role. For information on adding accounts to projects, see Add an Account or The Account Cache

To add an account cloud access role to a resource:

  1. Navigate to OUs > All OUs or Projects > All Projects.
  2. Click the name of the OU or project.
  3. Select the Cloud Management tab.
  4. Select the Cloud Access Roles subtab.
  5. Click the Add button.
  6. Select Account Cloud Access Role.
  7. Enter a name for the role.
  8. Select accounts to apply the role to.
  9. (Optional) Check the Also apply to all future accounts to automatically apply this cloud access role to accounts that are added to this project in the future.
  10. Enter the name of the AWS IAM role that will be created in the AWS accounts attached to the project. This is the name of the role that will display in the top right of the AWS console. It will display as: rolename/username. Any value in the gray box is a prefix that is set at the global level and cannot be edited here. For information on changing this prefix, see AWS Access.
  11. (Optional) Enter an AWS IAM Path. If you are using the IAM API or AWS Command Line Interface (AWS CLI) to create IAM resources, this field can be used when granting permissions. For more information, see the Friendly Names and Paths section of the AWS user guide.
  12. Select AWS IAM Policies to associate with this role. These allow console access for AWS.
  13. (Optional) Select AWS Permissions Boundary to associate with this role.
  14. (Optional) Click + Add Key/Value Pair to add AWS session tags to this role. When you federate in to an account using this role, these session tags are used to determine what permissions you have. You must set up IAM policies that leverage session tags in AWS before adding them to Kion. For more information, see Amazon's article: Rely on attributes to create fine-grained permissions in AWS.
  15. Enter the account number of the account to be granted access to the accounts you selected above.
  16. Select a partition that the account being granted access must exist within.