Add a User Cloud Access Role


Add a User Cloud Access Role

User cloud access roles grant cloud console access to users and/or user groups. These roles represent IAM roles or role definitions in cloud provider accounts.

User cloud access roles can be used for any cloud service provider.

When you create a cloud access role on an OU, it will be available on all descendant resources. Inherited cloud access roles are unique in that they are not affected by cloud rules applied on descendant resources. This allows you to apply consistent controls across the organization. For more information, see Cloud Access Role Inheritance and Exemption.

Even though cloud access roles can be applied to OUs, they only affect accounts attached to projects. In the case of cloud access roles, OUs help you manage roles users need on multiple projects. Applying a cloud access role to an OU is a good way to ensure the defined users have the correct access to all projects in a particular part of your organization. A good use for these roles is for system administrators, network engineers, or billing managers that need access to the same services in every account.

You will need to add an account to at least one project before you can create a cloud access role. For information on adding accounts to projects, see Add an Account or The Account Cache

To add a user cloud access role to a resource:

  1. Navigate to OUs > All OUs or Projects > All Projects.
  2. Click the name of the OU or project.
  3. Select the Cloud Management tab.
  4. Select the Cloud Access Roles subtab.
  5. Click the Add button.
  6. Select User Cloud Access Role.
  7. Enter a name for the role.
  8. For the Access Type, select one or more types of access you wish to grant. The options are:
    • Web Access provides the user access to log in to the cloud console/portal. This option applies to AWS and Azure accounts.
    • Short Term Access Key provides the user the ability to generate temporary access keys that expire after a certain period of time. This option applies to AWS accounts only.
    • Long Term Access Key provides the user the ability to generate long-term access keys that may or may not expire depending on the settings defined at a global level. No matter the settings at the global level, if the user is disabled, the LTAKs will be disabled as well. This option applies to AWS accounts only.
    For information on configuring settings for access types, including global enabling/disabling and session durations for AWS, see AWS Access.
  9. Select the users and groups to have access to use this role.
  10. If you are creating a project cloud access role, select one or more cloud providers for the role. The role will only be able to access accounts belonging to the selected cloud providers.
  11. Select accounts to apply the role to.
  12. (Optional) Check the Also apply to all future accounts to automatically apply this cloud access role to accounts that are added to this project in the future.
  13. Depending on which cloud providers you selected, configure the following settings:

ClosedAWS Settings

ClosedAzure Settings

ClosedGoogle Cloud Settings

Once the cloud access role is created, you can log in to a cloud provider console. For more information, see Logging in to a Cloud Provider Console with a Cloud Access Role.