User cloud access roles grant cloud console access to users and/or user groups. These roles represent IAM roles or role definitions in cloud provider accounts.
User cloud access roles can be used for any cloud service provider.
When you create a cloud access role on an OU, it will be available on all descendant resources. Inherited cloud access roles are unique in that they are not affected by cloud rules applied on descendant resources. This allows you to apply consistent controls across the organization. For more information, see Cloud Access Role Inheritance and Exemption.
Even though cloud access roles can be applied to OUs, they only affect accounts attached to projects. In the case of cloud access roles, OUs help you manage roles users need on multiple projects. Applying a cloud access role to an OU is a good way to ensure the defined users have the correct access to all projects in a particular part of your organization. A good use for these roles is for system administrators, network engineers, or billing managers that need access to the same services in every account.
You will need to add an account to at least one project before you can create a cloud access role. For information on adding accounts to projects, see Add an Account or The Account Cache
To add a user cloud access role to a resource:
Navigate to OUs > All OUs or Projects > All Projects.
Click the name of the OU or project.
Select the Cloud Management tab.
Select the Cloud Access Roles subtab.
Click the Add button.
Select User Cloud Access Role.
Enter a name for the role.
For the Access Type, select one or more types of access you wish to grant. The options are:
Web Access provides the user access to log in to the cloud console/portal. This option applies to AWS and Azure accounts.
Short Term Access Key provides the user the ability to generate temporary access keys that expire after a certain period of time. This option applies to AWS accounts only.
Long Term Access Key provides the user the ability to generate long-term access keys that may or may not expire depending on the settings defined at a global level. No matter the settings at the global level, if the user is disabled, the LTAKs will be disabled as well. This option applies to AWS accounts only.
For information on configuring settings for access types, including global enabling/disabling and session durations for AWS, see AWS Access.
Select the users and groups to have access to use this role.
If you are creating a project cloud access role, select one or more cloud providers for the role. The role will only be able to access accounts belonging to the selected cloud providers.
Select accounts to apply the role to.
(Optional) Check the Also apply to all future accounts to automatically apply this cloud access role to accounts that are added to this project in the future.
Depending on which cloud providers you selected, configure the following settings:
Select whether you want to create a new IAM Role or if you want to use a role that already exists in AWS. The option to manage an existing role only shows if you have enabled it in your system settings. For more information, see AWS Access.
Add a New AWS IAM RoleManage an Existing AWS IAM Role
Enter the name of the AWS IAM role that will be created in the AWS accounts attached to the project. This is the name of the role that will display in the top right of the AWS console. It will display as: rolename/username. Any value in the gray box is a prefix that is set at the global level and cannot be edited here. For information on changing this prefix, see AWS Access.
(Optional) Enter an AWS IAM Path. If you are using the IAM API or AWS Command Line Interface (AWS CLI) to create IAM resources, this field can be used when granting permissions. For more information, see the Friendly Names and Paths section of the AWS user guide.
Select AWS IAM Policies to associate with this role. These allow console access for AWS.
(Optional) Select AWS Permissions Boundary to associate with this role.
(Optional) Click + Add Key/Value Pair to add AWS session tags to this role. When you federate in to an account using this role, these session tags are used to determine what permissions you have. You must set up IAM policies that leverage session tags in AWS before adding them to Kion. For more information, see Amazon's article: Rely on attributes to create fine-grained permissions in AWS.
If you use an external ID in your trust policies, the external ID and any session tags must be in separate statements. For more information, see Adding an External ID to your Trust Policy.
If you choose to use an existing AWS IAM role, that role becomes managed by Kion. Once added, Kion can modify permission boundaries and IAM policies on that role within AWS. However, the trust policy remains unchanged, enabling federation through your third-party identity provider.
Select the name of the existing AWS IAM Role you would like to use. The AWS IAM Role dropdown is populated with the IAM roles we find that exist across all of the accounts under the project or all of the accounts under all of the OU's descendant projects. If the role that you want is not in the list, it may not exist in one of the accounts under the project or OU.
Select AWS IAM Policies in this role to import into Kion. Once the cloud access role is created, the newly imported policies are added to the policies list under Cloud Management > AWS IAM Policies. Since this role is now managed by Kion, if you deselect policies in this menu, they are also removed from the role in AWS.
Once the cloud access role is created, you can log in to AWS accounts by selecting the cloud access role in Kion, or by going directly to your third-party identity provider's login. You will have the same policies and permission boundaries using either method.
Select Azure Role Definitions to associate with this role. These allow console access for Azure.
(Optional) Specify which resource groups can use this role by selecting a subscription and resource groups within that subscription. Multiple subscription/resource group combinations can be added to a single role. If no resource groups are specified, all child resource groups can use the role. Resource groups specified in this way can be access from the Cloud Access dropdowns throughout Kion.