Managing Cloud Access Roles


Managing Cloud Access Roles

Cloud access roles (CARs) provide console access for your AWS, Azure, and Google Cloud accounts.

To view which cloud access roles are applied on an OU or project:

  1. Click the name of the project or OU you wish to view in the project/OU list to access its details page.
  2. On the project/OU details page, click on the Cloud Management.
  3. Click on the Cloud Access Roles sub-tab.

The cloud access roles on this resource are split into two categories: My Cloud Access Roles and All Cloud Access Roles.

  • My Cloud Access Roles only shows user cloud access roles that are assigned to the currently signed-in user. This list does not include service, account, or custom cloud access roles. This list makes it easy for users to see which roles they can use to federate into accounts.
  • All Cloud Access Roles shows all cloud access roles of all types applied to the current resource.

Click the name of a cloud access role to view its details, including the name, access type, AWS IAM role name, origin, and any objects associated with it.

For cloud access roles that federate into Google Cloud accounts, to see which permissions are allowed or denied on a cloud access role, click the ellipsis menu next to the role, and select View Permissions. This lists all permissions applied or denied by the role, including those inherited from parent resources.

Editing Cloud Access Roles

Cloud access roles can only be edited from the resource they were created on.

An easy way to get to the correct location to edit a cloud access rule is, on the Cloud Management > Cloud Access Roles tab of a project or OU, under the cloud access role name, click the OU name the role was inherited from.

Once you have navigated to the resource where the cloud access role was created, click the ellipsis icon next to the role you would like to edit and select Edit. Here you can change the access type, users, AWS settings, Azure settings, and Google Cloud settings on the role. The cloud access role will be updated everywhere it is applied.

Additional Configuration Options

These options affect how budgets work, but are not configured on the cloud access roles themselves. These are configured in the system settings.

Limit cloud access role assignments to user groups only

This option removes the option to assign individual users to cloud access roles. When viewing cloud access roles with this enabled, you no longer see a list of every user assigned to the role, only user groups. For more information, see Cloud Access Settings.