How does Kion Access Cloud Accounts?

Follow

How does Kion Access Cloud Accounts?

During set up and daily operations, Kion requires access to various administrative, billing, and resource accounts. Here, we are going to go over the technical details of how we access these accounts for management purposes.

Kion supports multiple cloud providers. There are some differences in how we access accounts from different providers. There are also differences in how access occurs based on where Kion is installed.

Installation Accounts

Kion is always installed in an account owned by you, the customer—not a Kion owned account. It is never necessary for you to grant any access permissions to accounts owned by Kion. Since it is installed in your own accounts, you fully control your installation of Kion and who has access to it.

Kion staff has no access to your Kion deployment or any of your cloud accounts, unless you explicitly grant them permission. We rarely request access to your accounts. Access would only be requested for complex troubleshooting after which access could be revoked.

AWS Account Access

AWS accounts are available across multiple partitions: AWS Commercial (Retail), AWS GovCloud, AWS SC2S (Secret), and AWS C2S (Top Secret). Regardless of the partitions you use, account access is based on whether you are accessing AWS accounts in the same partition where Kion is installed or a different partition.

AWS SC2S and C2S regions are isolated and therefore do not have cross-partition access.

AWS Accounts in the Kion Installation Partition

Accessing accounts in the same partition where Kion is installed (e.g. Kion is installed in AWS Commercial, and you want to access AWS Commercial accounts) is achieved using a service role and a cross-account trust relationship.

  1. A cloudtamer-service-role IAM role is deployed (manually or automatically) into the account that Kion will access.
  2. A trust relationship is placed on this IAM role that permits sts:AssumeRole from one of two AWS principals:
    • The account where Kion is installed.
    • The ARN of the EC2 instance role used by the Kion nodes.

aws-access.jpg

AWS Accounts not in the Kion Installation Partition

Accessing accounts in a different partition than where Kion is installed (e.g. Kion is installed in AWS GovCloud, and you want to access AWS Commercial accounts) is achieved using a partition user, a service role, and a cross-account trust relationship.

  1. A cloudtamer-service-user IAM user is created (manually or automatically) in an account within the partition that will be accessed. This is the partition account. This can be within a management account or another account.
  2. An AWS Secret Access Key for the IAM user is manually issued by an administrator and is configured in Kion. For more information, see AWS Partitions.
  3. The IAM user’s Secret Access Key becomes managed by Kion. This key is now automatically rotated on a daily basis.
  4. A cloudtamer-service-role IAM role is deployed (manually or automatically) into the account that Kion will access.
  5. A trust relationship is placed on this IAM role that permits sts:AssumeRole from the partition account.

aws-cross-partition-access.jpg

Azure Subscription and Resource Group Access

Azure subscription/resource group access is achieved using a service principal for an app registration that is assigned Microsoft Graph API permissions and set as an owner on the desired management group.

  1. An app registration is manually defined within the target tenant.
  2. The service principal for the app registration is granted Microsoft Graph permissions.
  3. The service principal for the app registration is assigned the owner role for the desired management group. This allows it to access all of the subscriptions within that tenant.
  4. Kion uses the service principal to directly engage Azure or AzureGov API endpoints to read and write data to managed subscriptions and resource groups.

azure-access.jpg

Google Cloud Account Access

Google Cloud Project access is achieved using a service account with organization-wide API access.

  1. A service account is defined within your organization.
  2. The service account is granted permissions and access to the appropriate services within your organization.
  3. Kion uses the service account to directly engage Google Cloud Platform API endpoints to read and write data to managed Google Cloud projects.

google-access.jpg

What Next?

For information on how we access billing data, see What is a Billing Source?

For information on how users access accounts through Kion, see Logging in to a Cloud Provider Console with a Cloud Access Role.

For information on adding accounts, see Add an Account.