What is a Cloud Access Role?


What is a Cloud Access Role?

Cloud access roles are used to log in to the AWS, Azure, or Google Cloud console. They represent an IAM role or role definition that is created in a cloud provider account. That role has a trust policy that allows Kion to provide the user with access to the console. IAM policies, permissions boundaries, and role definitions can be attached directly to the cloud access role from Kion when it is created.

When a user federates in to a cloud provider console from a Kion project, they will see a list of available cloud access roles. This list is all of the roles that include both the account being accessed and the user. A single user may have multiple cloud access roles with different permissions available when accessing an account.

Cloud access roles are actively managed by Kion. If any changes are made to the IAM roles or Azure role definitions outside of Kion, the changes will be reverted back automatically.

Any cloud access roles created on an OU will be available on all child projects below for the users/accounts that have access to the role. They also affect the inheritance of cloud rules. For information about how inheritance works with cloud access roles, see Cloud Access Role Inheritance and Exemption.

Types of Cloud Access Roles

All cloud providers

  • User. User cloud access roles grant access to users and/or user groups. These roles can be used for any cloud service provider. These roles are useful for defining access for system administrators, network engineers, billing managers, etc. For more information, see Add a User Cloud Access Role.


  • Account. Account cloud access roles grant access to specific accounts, instead of to specific users. With this role, you can stretch automation across accounts or easily federate from one account to another without re-authenticating. These are also known as cross-account access roles in AWS. For more information, see Add an Account Cloud Access Role.
  • Service account. Service account cloud access roles grant access to service accounts or other non-human users. When you create this type of role, you select any number of AWS services to be granted access to assigned accounts. For more information, see Add a Service Cloud Access Role.
  • Custom. In this role, you enter a custom trust policy to define who has access under which circumstances. This option supports all AWS trust policy options. Set time limits, limit access to specific time frames, create restrictions based on an IP address or CIDR range, and limit role use based on tags. For more information, see Add a Custom Cloud Access Role.


This video demonstrates a user cloud access role.

What Next?