> ## Documentation Index
> Fetch the complete documentation index at: https://docs.quiverstone.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Access Roles

> Deploy access roles so Quiverstone can securely operate inside your AWS Accounts

Access roles provide varying levels of permissions to AWS accounts, from read-only to full administrative access. Deploy these roles to enable Quiverstone to access and manage your AWS accounts.

## When to Use Access Roles

* Grant Quiverstone access to individual AWS accounts
* Configure specific permission levels (read-only, administrator, power user, etc.)
* Enable browser-based console access for interactive operations
* Deploy roles across multiple accounts using StackSets
* Provide day-to-day operational access to member accounts

## Browser Session Deployment

Browser Session is a deployment method where Quiverstone generates the AWS Console Switch Role link for your accounts.

<Steps>
  <Step title="Launch CloudFormation Template">
    Click the button below to launch the direct access role template in your AWS account:

    [    <img src="https://mintcdn.com/quiverstone/VPfcLjxCv7tUOPiQ/assets/stack.png?fit=max&auto=format&n=VPfcLjxCv7tUOPiQ&q=85&s=7735bb0827dba16381ad6a3824ec89ef" alt="Launch Stack" width="1000" height="250" data-path="assets/stack.png" />](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/quickcreate?templateURL=https://s3.us-east-2.amazonaws.com/assets.quiverstone.io/role-catalog/access/browser-access-role.yaml\&stackName=quiverstone-browser-access-role)
  </Step>

  <Step title="Configure Essential Parameters">
    **Role Name** (`pRoleName`): Name for the access role (Default: QuiverstoneBrowserAccess)

    <Warning>
      **Security Best Practice**: Change the default role name to a custom value unique to your organization. Using default role names makes it easier for unauthorized parties to discover and potentially target your roles.
    </Warning>

    **External ID**: Cannot be used with a browser switch role session

    **Permissions**: Enable the access levels you need (default is Read-Only)

    * `pIsReadOnlyAccess`: View all resources without making changes
    * `pIsAdministratorAccess`: Full administrative access
    * `pIsPowerUserAccess`: Full access except IAM and Organizations
    * Additional permission levels available in the template

    <Note>
      **Role Visibility Protection**: When deploying support or access roles, consider adding a deny policy to prevent non-administrative roles from viewing role permissions, trust policies, and External ID configurations. This prevents privilege escalation by limiting who can inspect role configurations. See the security recommendations section below for an example policy.
    </Note>
  </Step>

  <Step title="Create Stack">
    Review the parameters and create the CloudFormation stack. Wait for the stack to reach CREATE\_COMPLETE status.
  </Step>

  <Step title="BONUS: Launch CloudFormation STACKSET">
    Click the button below to launch the browser access role StackSet template to deploy to all accounts in your organization.

    [    <img src="https://mintcdn.com/quiverstone/VdFkI4-QICCLv9el/assets/stackset.png?fit=max&auto=format&n=VdFkI4-QICCLv9el&q=85&s=628cdbf133195eb7d08707b587d236c3" alt="Launch Stack" width="2048" height="512" data-path="assets/stackset.png" />](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/quickcreate?templateURL=https://s3.us-east-2.amazonaws.com/assets.quiverstone.io/role-catalog/access/browser-access-role-stackset.yaml\&stackName=stackset-quiverstone-browser-access-role)
  </Step>
</Steps>

<Note>
  For detailed deployment information including StackSets and all template variants, see the [Access Roles Reference](/setup/iam-roles/access).
</Note>

## Direct Access Deployment

Direct access is the simplest deployment method where Quiverstone directly assumes roles in your accounts.

<Steps>
  <Step title="Launch CloudFormation Template">
    Click the button below to launch the direct access role template in your AWS account:

    [    <img src="https://mintcdn.com/quiverstone/VPfcLjxCv7tUOPiQ/assets/stack.png?fit=max&auto=format&n=VPfcLjxCv7tUOPiQ&q=85&s=7735bb0827dba16381ad6a3824ec89ef" alt="Launch Stack" width="1000" height="250" data-path="assets/stack.png" />](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/quickcreate?templateURL=https://s3.us-east-2.amazonaws.com/assets.quiverstone.io/role-catalog/access/direct-access-role.yaml\&stackName=quiverstone-direct-access-role)
  </Step>

  <Step title="Configure Essential Parameters">
    **Role Name** (`pRoleName`): Name for the access role (Default: QuiverstoneDirectAccess)

    <Warning>
      **Security Best Practice**: Change the default role name to a custom value unique to your organization. Using default role names makes it easier for unauthorized parties to discover and potentially target your roles.
    </Warning>

    **External ID** (`pExternalId`): Security token for role assumption

    <Warning>
      **Required for Production**: Always configure an External ID for production deployments. This prevents confused deputy attacks and unauthorized role assumptions.

      * Generate a unique random string (minimum 32 characters)
      * Store securely - you'll need this when configuring Quiverstone
      * Never share or commit External IDs to version control
    </Warning>

    **Permissions**: Enable the access levels you need (default is Read-Only)

    * `pIsReadOnlyAccess`: View all resources without making changes
    * `pIsAdministratorAccess`: Full administrative access
    * `pIsPowerUserAccess`: Full access except IAM and Organizations
    * Additional permission levels available in the template

    <Note>
      **Role Visibility Protection**: When deploying support or access roles, consider adding a deny policy to prevent non-administrative roles from viewing role permissions, trust policies, and External ID configurations. This prevents privilege escalation by limiting who can inspect role configurations. See the security recommendations section below for an example policy.
    </Note>
  </Step>

  <Step title="Create Stack">
    Review the parameters and create the CloudFormation stack. Wait for the stack to reach CREATE\_COMPLETE status.
  </Step>

  <Step title="Copy Role ARN">
    From the stack Outputs tab, copy the role ARN (e.g., `arn:aws:iam::123456789012:role/QuiverstoneDirectAccess`)
  </Step>

  <Step title="Configure Quiverstone">
    In Quiverstone, add the account using:

    * Role ARN from the previous step
    * External ID you configured in the template
  </Step>

  <Step title="BONUS: Launch CloudFormation STACKSET">
    Click the button below to launch the direct access role StackSet template to deploy to all accounts in your organization.

    [    <img src="https://mintcdn.com/quiverstone/VdFkI4-QICCLv9el/assets/stackset.png?fit=max&auto=format&n=VdFkI4-QICCLv9el&q=85&s=628cdbf133195eb7d08707b587d236c3" alt="Launch Stack" width="2048" height="512" data-path="assets/stackset.png" />](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/quickcreate?templateURL=https://s3.us-east-2.amazonaws.com/assets.quiverstone.io/role-catalog/access/direct-access-role-stackset.yaml\&stackName=stackset-quiverstone-direct-access-role)
  </Step>
</Steps>

<Note>
  For detailed deployment information including StackSets and all template variants, see the [Access Roles Reference](/setup/iam-roles/access).
</Note>

## Chained Access Deployment

Chained access adds an intermediate security layer by routing role assumptions through a trusted account you control. Use this when security policies require additional controls beyond direct access.

<Warning>
  Chained access requires two deployments: first the intermediate role, then the destination access role. Deploy in this order.
</Warning>

<Steps>
  <Step title="Deploy Intermediate Role (First)">
    Deploy the intermediate role to your trusted/intermediate account:

    [    <img src="https://mintcdn.com/quiverstone/VPfcLjxCv7tUOPiQ/assets/stack.png?fit=max&auto=format&n=VPfcLjxCv7tUOPiQ&q=85&s=7735bb0827dba16381ad6a3824ec89ef" alt="Launch Stack" width="1000" height="250" data-path="assets/stack.png" />](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/quickcreate?templateURL=https://s3.us-east-2.amazonaws.com/assets.quiverstone.io/role-catalog/intermediate/trusted-intermediate-role.yaml\&stackName=quiverstone-trusted-intermediate-role)

    **Essential Parameters:**

    * **Role Name** (`pIntermediateRoleName`): Default is QuiverstoneTrustedIntermediate
      <Warning>Change this to a custom role name for enhanced security</Warning>
    * **External ID** (`pExternalId`): Generate unique random string (minimum 32 characters)
      <Warning>Required for production - never use default or empty values</Warning>
    * **Assume Role Scope** (`pAssumeRoleScope`): Use `specific-role-any-account` (recommended)
    * **Destination Role Name** (`pDestinationRoleName`): QuiverstoneChainedAccess
      <Warning>Change this to match your custom destination role name</Warning>

    <Note>
      If you already have an intermediate role deployed, you can reuse it. Skip to Step 2.
    </Note>

    Copy the intermediate role ARN and External ID from the stack outputs.
  </Step>

  <Step title="Deploy Chained Access Role (Second)">
    Deploy the chained access role to your target account(s):

    [    <img src="https://mintcdn.com/quiverstone/VPfcLjxCv7tUOPiQ/assets/stack.png?fit=max&auto=format&n=VPfcLjxCv7tUOPiQ&q=85&s=7735bb0827dba16381ad6a3824ec89ef" alt="Launch Stack" width="1000" height="250" data-path="assets/stack.png" />](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/quickcreate?templateURL=https://s3.us-east-2.amazonaws.com/assets.quiverstone.io/role-catalog/access/chained-access-role.yaml\&stackName=quiverstone-chained-access-role)

    **Essential Parameters:**

    * **Role Name** (`pChainedAccessRoleName`): Default is QuiverstoneChainedAccess
      <Warning>Change this to a custom role name for enhanced security</Warning>
    * **External ID** (`pExternalId`): Generate unique random string (can be different from intermediate)
      <Warning>Required for production - use a different value than the intermediate role External ID</Warning>
    * **Intermediate Account ID** (`pIntermediateAccountId`): Account ID where intermediate role is deployed
    * **Intermediate Role Name** (`pIntermediateRoleName`): Name of intermediate role (default: QuiverstoneTrustedIntermediate)
      <Warning>Update this if you changed the intermediate role name</Warning>
    * **Trust Principals** (`pTrustPrincipals`): Use `Named` for enhanced security (recommended)
    * **Permissions**: Enable the access levels you need (default is Read-Only)

    <Note>
      **Role Visibility Protection**: When deploying support or access roles, consider adding a deny policy to prevent non-administrative roles from viewing role permissions, trust policies, and External ID configurations. This prevents privilege escalation by limiting who can inspect role configurations. See the security recommendations section below for an example policy.
    </Note>

    Copy the chained access role ARN from the stack outputs.
  </Step>

  <Step title="Configure Quiverstone">
    In Quiverstone, configure chained access using:

    * Intermediate role ARN and External ID (from Step 1)
    * Destination role ARN and External ID (from Step 2)
  </Step>

  <Step title="BONUS: Launch CloudFormation STACKSET">
    Click the button below to launch the chained access role StackSet template to deploy to all accounts in your organization.

    [    <img src="https://mintcdn.com/quiverstone/VdFkI4-QICCLv9el/assets/stackset.png?fit=max&auto=format&n=VdFkI4-QICCLv9el&q=85&s=628cdbf133195eb7d08707b587d236c3" alt="Launch Stack" width="2048" height="512" data-path="assets/stackset.png" />](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/quickcreate?templateURL=https://s3.us-east-2.amazonaws.com/assets.quiverstone.io/role-catalog/access/chained-access-role-stackset.yaml\&stackName=stackset-quiverstone-chained-access-role)
  </Step>
</Steps>

<Note>
  For detailed deployment information including StackSets and all template variants, see the [Access Roles Reference](/setup/iam-roles/access).
</Note>

## Standalone Account Inventory Deployment

Standalone account inventory is a deployment method where Quiverstone can inventory details about a single account that is not part of an AWS Organization.

<Steps>
  <Step title="Launch CloudFormation Template">
    Click the button below to launch the direct access role template in your AWS account:

    [    <img src="https://mintcdn.com/quiverstone/VPfcLjxCv7tUOPiQ/assets/stack.png?fit=max&auto=format&n=VPfcLjxCv7tUOPiQ&q=85&s=7735bb0827dba16381ad6a3824ec89ef" alt="Launch Stack" width="1000" height="250" data-path="assets/stack.png" />](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/quickcreate?templateURL=https://s3.us-east-2.amazonaws.com/assets.quiverstone.io/role-catalog/inventory/standalone-account-inventory-role.yaml\&stackName=quiverstone-standalone-inventory-role)
  </Step>

  <Step title="Configure Essential Parameters">
    **Role Name** (`pRoleName`): Name for the access role (Default: QuiverstoneStandaloneAccountInventory)

    **External ID**: Cannot be used with a browser switch role session

    **Permissions**: Enable the access levels you need (default is Read-Only)

    * `pIsReadOnlyAccess`: View all resources without making changes
  </Step>

  <Step title="Create Stack">
    Review the parameters and create the CloudFormation stack. Wait for the stack to reach CREATE\_COMPLETE status.
  </Step>
</Steps>

<Note>
  For detailed deployment information including StackSets and all template variants, see the [Access Roles Reference](/setup/iam-roles/access).
</Note>

## Next Steps

* **Configure additional accounts**: Repeat the deployment process for other accounts
* **Adjust permissions**: Modify permission levels as needed for different accounts
* **Review security**: Ensure External IDs are stored securely
* **Test access**: Verify Quiverstone can assume the roles successfully

## Comprehensive Reference

For detailed information about all access role templates, deployment methods, security considerations, and troubleshooting, see the [Access Roles Reference](/setup/iam-roles/access).

## Security Recommendations

### Protecting Role Configurations from Inspection

When deploying support or access roles, it's important to prevent non-administrative roles from viewing role permissions, trust policies, and External ID configurations. This prevents tiered support teams and other roles from potentially escalating their own privileges by inspecting role configurations.

<Warning>
  **Privilege Escalation Risk**: If support or operational roles can view IAM role trust policies and permissions, they may be able to identify External IDs, understand trust relationships, and potentially escalate their privileges. Implementing role visibility restrictions is a critical security control.
</Warning>

### Example Deny Policy

Apply this policy to roles that should NOT be able to view sensitive role configurations:

```json theme={null}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRoleInspection",
      "Effect": "Deny",
      "Action": [
        "iam:GetRole",
        "iam:GetRolePolicy",
        "iam:ListRolePolicies",
        "iam:ListAttachedRolePolicies"
      ],
      "Resource": [
        "arn:aws:iam::*:role/Quiverstone*",
        "arn:aws:iam::*:role/*Access*",
        "arn:aws:iam::*:role/*Support*"
      ]
    }
  ]
}
```

**YAML Format** (for CloudFormation):

```yaml theme={null}
DenyRoleInspectionPolicy:
  Type: AWS::IAM::Policy
  Properties:
    PolicyName: DenyRoleInspection
    PolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Sid: DenyRoleInspection
          Effect: Deny
          Action:
            - iam:GetRole
            - iam:GetRolePolicy
            - iam:ListRolePolicies
            - iam:ListAttachedRolePolicies
          Resource:
            - arn:aws:iam::*:role/Quiverstone*
            - arn:aws:iam::*:role/*Access*
            - arn:aws:iam::*:role/*Support*
    Roles:
      - TieredSupportRole
      - OperationsRole
```

### Policy Explanation

* **DenyRoleInspection**: Prevents viewing role details, trust policies, and attached policies
* **Resource Patterns**: Adjust the patterns to match your custom role names
  * `Quiverstone*`: Matches all roles starting with "Quiverstone"
  * `*Access*`: Matches roles containing "Access"
  * `*Support*`: Matches roles containing "Support"
* **Actions Denied**:
  * `iam:GetRole`: Prevents viewing role details including trust policy
  * `iam:GetRolePolicy`: Prevents viewing inline policies
  * `iam:ListRolePolicies`: Prevents listing inline policies
  * `iam:ListAttachedRolePolicies`: Prevents listing managed policies

### Implementation Recommendations

1. **Apply to Support Roles**: Attach this deny policy to all tiered support and operational roles
2. **Customize Resource Patterns**: Update the resource ARN patterns to match your custom role names
3. **Exclude Administrative Roles**: Do NOT apply this policy to roles that legitimately need to manage IAM
4. **Test Thoroughly**: Verify the policy doesn't block legitimate operations
5. **Document Exceptions**: Clearly document which roles are exempt and why

### Additional Security Controls

* **Use Custom Role Names**: Change default role names to make discovery harder
* **Rotate External IDs**: Periodically rotate External IDs according to your security policy
* **Monitor Role Assumptions**: Set up CloudWatch alarms for unusual role assumption patterns
* **Implement SCPs**: Use Service Control Policies to enforce organizational security requirements
* **Regular Access Reviews**: Periodically review who has access to view IAM roles
