What is a Cloud Access Role?


What is a Cloud Access Role?

Cloud access roles are used to log in to the AWS, Azure, or Google Cloud console. They represent an IAM role or role definition that is created in a cloud provider account. That role has a trust policy that allows Kion to provide the user with access to the console. IAM policies, permissions boundaries, and role definitions can be attached directly to the cloud access role from Kion when it is created.

When cloud access roles are created, users/user groups and accounts are added to the role. When a user federates in to a cloud provider console from a Kion project, they will see a list of available cloud access roles. This list is all of the roles that include both the account being accessed and the user. A single user may have multiple cloud access roles with different permissions available when accessing an account.

Cloud access roles are actively managed by Kion. If any changes are made to the IAM roles or Azure role definitions outside of Kion, the changes will be reverted back automatically.

Any cloud access roles created on an OU will be available on all child projects below for the users that have access to the role. They also affect the inheritance of cloud rules. For information about how inheritance works with cloud access roles, see Cloud Access Role Inheritance and Exemption.

A good use for these roles is for system administrators, network engineers, or billing managers that need access to the same services in every AWS/Azure account.

What Next?


Was this article helpful?
0 out of 0 found this helpful