Add a Cloud Access Role

Follow

Add a Cloud Access Role

To give users direct access to a cloud console (i.e., native access to login to AWS, Azure, or Google Cloud), you can create a cloud access role (CAR) on an OU or project that grants IAM roles or Azure role definitions.

When you create a cloud access role on an OU, it will be available on all descendant resources. As they are inherited down, cloud access roles attached to OUs are unique in that they are not affected by cloud rules applied on descendant resources. This allows you to apply consistent controls across the organization. For more information, see Cloud Access Role Inheritance and Exemption.

Even though cloud access roles can be applied to OUs, they only affect accounts attached to projects. In the case of cloud access roles, OUs help you manage roles users need on multiple projects. Applying a cloud access role to an OU is a good way to ensure the defined users have the correct access to all projects in a particular part of your organization. A good use for these roles is for system administrators, network engineers, or billing managers that need access to the same services in every account.

You will need to add an account to at least one project before you can create a cloud access role. For information on adding accounts to projects, see Attach an Account in the Account Cache to a Project.

To add a cloud access role to a resource:

  1. In the left navigation menu, click OUs > All OUs or Projects > All Projects.
  2. Click the name of the OU or project to which you will add a cloud access role.
  3. Click the Cloud Management tab.
  4. Click the Cloud Access Roles subtab.
  5. Click the Add button.
  6. Enter a name to identify it on the project.
  7. In the Access Type dropdown, select one or more types of access you wish to grant. The options are:
    • Web Access provides the user access to log in to the cloud console/portal. This option applies to AWS and Azure accounts.
    • Short Term Access Key provides the user the ability to generate temporary access keys that expire after a certain period of time. This option applies to AWS accounts only.
    • Long Term Access Key provides the user the ability to generate long-term access keys that may or may not expire depending on the settings defined at a global level. No matter the settings at the global level, if the user is disabled, the LTAKs will be disabled as well. This option applies to AWS accounts only.
    For information on configuring settings for access types, including global enabling/disabling and session durations for AWS, see AWS Access.
  8. Select the users and groups that will have access to use this role.
  9. If you are adding the role to a project, select an account to apply the role to.
  10. (Optional) Check the Also apply to all future accounts to automatically apply this cloud access role to accounts that are added to this project in the future.
  11. Depending on which cloud providers you use, configure the following settings:

ClosedAWS Settings

ClosedAzure Settings

ClosedGoogle Cloud Settings

  1. Click Create.

Once the cloud access role is created, you can log in to a cloud provider console. For more information, see Loging in to a Cloud Provider Console with a Cloud Access Role.

 

Was this article helpful?
0 out of 1 found this helpful