To give users direct access to the cloud console (i.e., native access to log into AWS, Azure, or Google Cloud), you'll create a cloud access role (CAR) on a project that grants AWS IAM roles, Azure role definitions, or Google IAM roles. Alternatively, you can add a cloud access role to an OU. You'll need to Add an Account to a Project before you can proceed with CAR creation for a project.
To add a CAR to a project:
- In the left navigation menu, click Projects > All Projects.
- Click the name of the project to which you will add a CAR.
- Click the Cloud Management tab.
- Click the Cloud Access Roles subtab. You'll see a list of all the current CARs for the project, as shown in the Managing Cloud Access Roles article.
- Click the Add button to add the new CAR.
- In the Cloud Access Role Name field, enter a name to identify it on the project.
- In the Access Type drop-down, select one or more types of access you wish to grant to the user. The settings for these access types, including global enabling/disabling and session durations for AWS, can be set in the AWS access settings. The options are:
- Web Access - provides the user access to log into the cloud console/portal. This option applies to AWS and Azure accounts.
- Short Term Access Key - provides the user the ability to generate temporary access keys that expire after a certain period of time. This option applies to AWS accounts only.
- Long Term Access Key - provides the user the ability to generate long-term access keys that may or may not expire depending on the settings defined at a global level. No matter the settings at the global level, if the user is disabled, the LTAKs will be disabled as well. This option applies to AWS accounts only.
- In the Users and User Groups drop-down menus, select the users and groups that will have access to use this role to log into AWS and Azure consoles.
- In the Accounts drop-down menu, select which account you want the role to apply to.
- Check the Also apply to all future accounts to automatically apply this CAR to accounts that are added to this project in the future.
- In the AWS IAM Role field, enter the name of the AWS IAM role that will be created in the AWS accounts attached to the project. This is the name of the role that will display in the top right of the AWS console. It will display as: rolename/username. Any value that is in the grey box is a prefix that is set at the global level and cannot be edited here. (Admins can change it within the AWS access settings.)
- In the AWS IAM Path field, enter an optional IAM path. If you are using the IAM API or AWS Command Line Interface (AWS CLI) to create IAM resources, this field can be used when granting permissions. For more information, see the Friendly Names and Paths section of the AWS user guide.
- In the AWS IAM Policies drop-down menu, select any AWS IAM policies you would like to associate with this role. These allow the console access for AWS.
- In the AWS Permissions Boundary drop-down menu, select any AWS permissions boundaries you would like to associate with this role.
- In the Azure Role Definitions drop-down menu, select any role definitions you would like to associate with this role. These allow the console access for Azure.
- In the Google Cloud IAM Roles drop-down menu, select any Google Cloud IAM roles you would like to associate with this role. These allow the console access for Google Cloud.
- Click Create Cloud Access Role.
Now that the cloud access role exists, you can log in to the AWS console, Azure portal and/or Google Cloud console using the cloud access role. There are several Cloud Access menus throughout cloudtamer.io that allow you to select your CAR from the drop-down menu, but from the Cloud Access Roles subtab that you're currently on, you can:
- Click Select an account under the Cloud Access column.
- Select the name of the account from the drop-down. This will take you directly to the AWS console/Azure portal.
Note: If nothing happens when you log in, ensure you have disabled your popup blocker.
Notice in the top right of the AWS console, the authenticated session is called dev/admin. In this case, dev was the value entered into the field AWS IAM Role on the cloud access role and admin is the username of the user logged into cloudtamer.io. This information is logged to AWS CloudTrail, so you know which user is making calls to which AWS APIs.
Learn more about viewing and editing cloud access roles in the Managing Cloud Access Roles article.