Add a Service Cloud Access Role
Service cloud access roles grant access to service accounts or other non-human users.
These accounts are AWS specific.
When you create a cloud access role on an OU, it will be available on all descendant resources. Inherited cloud access roles are unique in that they are not affected by cloud rules applied on descendant resources. This allows you to apply consistent controls across the organization. For more information, see Cloud Access Role Inheritance and Exemption.
You will need to add an account to at least one project before you can create a cloud access role. For information on adding accounts to projects, see Add an Account or The Account Cache
To add a service cloud access role to a resource:
- Navigate to OUs > All OUs or Projects > All Projects.
- Click the name of the OU or project.
- Select the Cloud Management tab.
- Select the Cloud Access Roles subtab.
- Click the Add button.
- Select Service Cloud Access Role.
- Enter a name for the role.
- If you are creating a project cloud access role, select one or more cloud providers for the role. The role will only be able to access accounts belonging to the selected cloud providers.
- Select accounts to apply the role to.
- (Optional) Check the Also apply to all future accounts to automatically apply this cloud access role to accounts that are added to this project in the future.
- Enter the name of the AWS IAM role that will be created in the AWS accounts attached to the project. This is the name of the role that will display in the top right of the AWS console. It will display as: rolename/username. Any value in the gray box is a prefix that is set at the global level and cannot be edited here. For information on changing this prefix, see AWS Access.
- (Optional) Enter an AWS IAM Path. If you are using the IAM API or AWS Command Line Interface (AWS CLI) to create IAM resources, this field can be used when granting permissions. For more information, see the Friendly Names and Paths section of the AWS user guide.
- Select AWS IAM Policies to associate with this role. These allow console access for AWS.
- (Optional) Select AWS Permissions Boundary to associate with this role.
- (Optional) Click + Add Key/Value Pair to add AWS session tags to this role. When you federate in to an account using this role, these session tags are used to determine what permissions you have. You must set up IAM policies that leverage session tags in AWS before adding them to Kion. For more information, see Amazon's article: Rely on attributes to create fine-grained permissions in AWS.
- Select any number of AWS services to be granted access to assigned accounts.
Once the cloud access role is created, you can log in to a cloud provider console. For more information, see Logging in to a Cloud Provider Console with a Cloud Access Role.