Add a Cloud Access Role to an OU


To give users direct access to the cloud console (i.e., native access to log into AWS or Azure), you can create a cloud access role (CAR) on an OU that grants IAM roles or Azure role definitions. Alternatively, you can add a cloud access role to a single project. You'll need to Add an Account to a Project for at least one attached project before you can proceed with OU CAR creation.

When you create a cloud access role on an OU, it will be available on all directly attached projects as well as all projects attached to all child OUs down through that OU's branch of the organization.

Cloud access roles attached to OUs are unique in that they are not affected by IAM policies/Azure role definitions applied via cloud access roles on child OUs or below. This allows you to apply consistent controls across the organization for specific types of users. 

For example, if you have a financial team that needs access to the AWS Billing Console for all the AWS accounts in an organization, you can create a cloud access role specifically for the financial team on a top-level OU. You only have to create the cloud access role once, and the team will then get the same access across all the AWS accounts below. You can do the same thing for your cloud administrators that need access to the AWS accounts.

To add a CAR to an OU:

  1. In the left navigation menu, click OUs > All OUs.
  2. Click the name of the project to which you will add a CAR.
  3. Click the Cloud Management tab.
  4. Click the Cloud Access Roles subtab. You'll see a list of all the current CARs for the project, as shown in the Managing Cloud Access Roles article.
  5. Click the Add button to add the new CAR.
  6. In the Cloud Access Role Name field, enter a name to identify it on the project.
  7. In the Access Type drop-down, select one or more type of access you wish to grant to the user. The settings for these access types, including global enabling/disabling and session durations for AWS, can be set in the AWS access settings. The options are:
    • Web Access - provides the user access to log into the cloud console/portal. This option applies to AWS and Azure accounts
    • Short Term Access Key - provides the user the ability to generate temporary access keys that expire after a certain period of time. This option applies to AWS accounts only.
    • Long Term Access Key - provide the user the ability to generate long-term access keys that may or may not expire depending on the settings defined at a global level. No matter the settings at the global level, if the user is disabled, the LTAKs will be disabled as well. This option applies to AWS accounts only.
  8. In the Users and User Groups drop-down menus, select the users and groups that will have access to use this role to log into AWS and Azure consoles.
  9. In the AWS IAM Role field, enter the name of the AWS IAM role that will be created in the AWS accounts attached to the project. This is the name of the role that will display in the top right of the AWS console. It will display as: rolename/username. Any value that is in the grey box is a prefix that is set at the global level and cannot be edited here (admins can change it within the AWS access settings).
  10. In the AWS IAM Path field, enter an optional IAM path. If you are using the IAM API or AWS Command Line Interface (AWS CLI) to create IAM resources, this field can be used when granting permissions. For more information, see the Friendly Names and Paths section of the AWS user guide.
  11. In the AWS IAM Policies drop-down menu, select any AWS IAM policies you would like to associate with this role. These allow the console access for AWS.
  12. In the AWS Permissions Boundary drop-down menu, select any AWS permissions boundaries you would like to associate with this role.
  13. In the Azure Role Definitions drop-down menu, select any role definitions you would like to associate with this role. These allow the console access for Azure.
  14. Click Create Cloud Access Role.


Now that the cloud access role exists, you can log in to the AWS console and/or Azure portal using the cloud access role. There are several Cloud Access menus throughout that allow you to select your CAR from the drop-down menu, but from the Cloud Access Roles subtab that you're currently on, you can:

  1. Click Accounts > All Accounts.
  2. Click Cloud Access above the account you'd like to log into.
  3. Select the CAR from the drop-down.
  4. Select your access type. This will take you directly to the AWS console/Azure portal.

Note: If nothing happens when you log in, ensure you have disabled your popup blocker.

Was this article helpful?
0 out of 0 found this helpful