Add a Custom Cloud Access Role
In this role, you enter a custom trust policy to define who has access under which circumstances. This option supports all AWS trust policy options. For information on creating trust policies, see Amazon's documentation.
These accounts are AWS specific.
When you create a cloud access role on an OU, it will be available on all descendant resources. Inherited cloud access roles are unique in that they are not affected by cloud rules applied on descendant resources. This allows you to apply consistent controls across the organization. For more information, see Cloud Access Role Inheritance and Exemption.
You will need to add an account to at least one project before you can create a cloud access role. For information on adding accounts to projects, see Add an Account or Attach an Account in the Account Cache to a Project.
To add a custom cloud access role to a resource:
- Navigate to OUs > All OUs or Projects > All Projects.
- Click the name of the OU or project.
- Select the Cloud Management tab.
- Select the Cloud Access Roles subtab.
- Click the Add button.
- Select Custom Cloud Access Role.
- Enter a name for the role.
- Select accounts to apply the role to.
- (Optional) Check the Also apply to all future accounts to automatically apply this cloud access role to accounts that are added to this project in the future.
- Enter the name of the AWS IAM role that will be created in the AWS accounts attached to the project. This is the name of the role that will display in the top right of the AWS console. It will display as: rolename/username. Any value in the gray box is a prefix that is set at the global level and cannot be edited here. For information on changing this prefix, see AWS Access.
- (Optional) Enter an AWS IAM Path. If you are using the IAM API or AWS Command Line Interface (AWS CLI) to create IAM resources, this field can be used when granting permissions. For more information, see the Friendly Names and Paths section of the AWS user guide.
- Select AWS IAM Policies to associate with this role. These allow console access for AWS.
- (Optional) Select AWS Permissions Boundary to associate with this role.
- (Optional) Click + Add Key/Value Pair to add AWS session tags to this role. When you federate in to an account using this role, these session tags are used to determine what permissions you have. You must set up IAM policies that leverage session tags in AWS before adding them to Kion. For more information, see Amazon's article: Rely on attributes to create fine-grained permissions in AWS.
- Enter the JSON for your custom trust policy. For information on creating trust policies, see Amazon's documentation.