Add a Cloud Access Role
To give users direct access to a cloud console (i.e., native access to login to AWS, Azure, or Google Cloud), you can create a cloud access role (CAR) on an OU or project that grants IAM roles or Azure role definitions.
When you create a cloud access role on an OU, it will be available on all descendant resources. As they are inherited down, cloud access roles attached to OUs are unique in that they are not affected by cloud rules applied on descendant resources. This allows you to apply consistent controls across the organization. For more information, see Cloud Access Role Inheritance and Exemption.
Even though cloud access roles can be applied to OUs, they only affect accounts attached to projects. In the case of cloud access roles, OUs help you manage roles users need on multiple projects. Applying a cloud access role to an OU is a good way to ensure the defined users have the correct access to all projects in a particular part of your organization. A good use for these roles is for system administrators, network engineers, or billing managers that need access to the same services in every account.
You will need to add an account to at least one project before you can create a cloud access role. For information on adding accounts to projects, see Attach an Account in the Account Cache to a Project.
To add a cloud access role to a resource:
- In the left navigation menu, click OUs > All OUs or Projects > All Projects.
- Click the name of the OU or project to which you will add a cloud access role.
- Click the Cloud Management tab.
- Click the Cloud Access Roles subtab.
- Click the Add button.
- Enter a name to identify it on the project.
- In the Access Type dropdown, select one or more types of access you wish to grant. The options are:
- Web Access provides the user access to log in to the cloud console/portal. This option applies to AWS and Azure accounts.
- Short Term Access Key provides the user the ability to generate temporary access keys that expire after a certain period of time. This option applies to AWS accounts only.
- Long Term Access Key provides the user the ability to generate long-term access keys that may or may not expire depending on the settings defined at a global level. No matter the settings at the global level, if the user is disabled, the LTAKs will be disabled as well. This option applies to AWS accounts only.
For information on configuring settings for access types, including global enabling/disabling and session durations for AWS, see AWS Access.
- Select the users and groups that will have access to use this role.
- If you are adding the role to a project, select an account to apply the role to.
- (Optional) Check the Also apply to all future accounts to automatically apply this cloud access role to accounts that are added to this project in the future.
- Depending on which cloud providers you use, configure the following settings:
AWS Settings
Select whether you want to create a new IAM Role or if you want to use a role that already exists in AWS. The option to manage an existing role only shows if you have enabled it in your system settings. For more information, see AWS Access.
Add a New AWS IAM Role
- Enter the name of the AWS IAM role that will be created in the AWS accounts attached to the project. This is the name of the role that will display in the top right of the AWS console. It will display as: rolename/username. Any value in the gray box is a prefix that is set at the global level and cannot be edited here. For information on changing this prefix, see AWS Access.
- (Optional) Enter an AWS IAM Path. If you are using the IAM API or AWS Command Line Interface (AWS CLI) to create IAM resources, this field can be used when granting permissions. For more information, see the Friendly Names and Paths section of the AWS user guide.
- Select AWS IAM Policies to associate with this role. These allow console access for AWS.
- (Optional) Select AWS Permissions Boundary to associate with this role.
- (Optional) Click + Add Key/Value Pair to add AWS session tags to this role. When you federate in to an account using this role, these session tags are used to determine what permissions you have. You must set up IAM policies that leverage session tags in AWS before adding them to Kion. For more information, see Amazon's article: Rely on attributes to create fine-grained permissions in AWS.
Manage an Existing AWS IAM Role
If you choose to use an existing AWS IAM role, that role becomes managed by Kion. Once added, Kion can modify permission boundaries and IAM policies on that role within AWS. However, the trust policy remains unchanged, enabling federation through your third-party identity provider.
- Select the name of the existing AWS IAM Role you would like to use. The AWS IAM Role dropdown is populated with the IAM roles we find that exist across all of the accounts under the project or all of the accounts under all of the OU's descendant projects. If the role that you want is not in the list, it may not exist in one of the accounts under the project or OU.
- Select AWS IAM Policies in this role to import into Kion. Once the cloud access role is created, the newly imported policies are added to the policies list under Cloud Management > AWS IAM Policies. Since this role is now managed by Kion, if you deselect policies in this menu, they are also removed from the role in AWS.
- Once the cloud access role is created, you can log in to AWS accounts by selecting the cloud access role in Kion, or by going directly to your third-party identity provider's login. You will have the same policies and permission boundaries using either method.
Azure Settings
Select Azure Role Definitions to associate with this role. These allow console access for Azure.
Google Cloud Settings
Select Google Cloud IAM Roles to associate with this role. These allow console access for Google Cloud.
- Click Create.
Once the cloud access role is created, you can log in to a cloud provider console. For more information, see Loging in to a Cloud Provider Console with a Cloud Access Role.
