Summary
This message is for Kion (cloudtamer) users.
Kion (cloudtamer) will finish its Identity Management System (IDMS) migration to Okta by removing the legacy Active Directory (AD) configuration. This is the second and final phase of the migration that began on March 9, 2026, when Okta became the primary login method.
Kion (cloudtamer) will also introduce a new, separate AD configuration. The new configuration is exclusively reserved for a limited number of existing service accounts and is not available for general user or team use. If your team currently relies on an AD service account for Kion (cloudtamer) access, contact #kion-cloudtamer-support on Slack to determine if the account is eligible for the new configuration.
Users and teams who have not yet migrated to kion-cli must do so before Saturday, August 1, 2026, to avoid access disruption.
Impact
After the AD removal
-
ctkey is deprecated (end of life) for all authentication methods.
- The AD username and password (--idms=2) no longer function for general users.
- All users must use kion-cli with an Okta-generated App Application Programming Interface (API) key or username and password.
- Only existing AD service accounts retain any form of AD access under the new limited configuration.
What stops working
| Tool/Method |
Status after Phase 2 |
|
ctkey (AD) |
Deprecated (end of life) |
|
ctkey --idms=2 (AD username and password) |
Stops working |
|
ctkey --idms=5 (Okta) |
Invalid; Security Assertion Markup Language (SAML) unsupported |
| Kion App API keys generated with AD credentials |
Invalid |
What continues working
| Tool/Method |
Status after Phase 2 |
|
kion-cli with Okta App API key (interactive/local) |
Fully supported |
|
kion-cli --idms=5 (interactive/local use) |
Fully supported |
| Kion API with Okta-generated App API key (automation/scripting) |
Recommended for automation |
| App API keys generated with Okta login |
Fully supported |
| Web user interface (UI) login through Okta |
No change |
| Existing AD service accounts |
No disruption |
Action Required
Before Saturday, August 1, 2026, users must complete all required steps on the Kion-Okta Migration Checklist based on their current Kion (cloudtamer) usage status. Please complete:
- Section A if you use Kion (cloudtamer) interactively (local machine, web console access).
- Section B if you have any automation, scripts, or continuous integration/continuous deployment (CI/CD) pipelines that use Kion (cloudtamer).
- Section C if your team manages shared service accounts or AD service users.
- Section D as final verification checklist for all users.
Note: These instructions are particularly important for ctkey users. Users who only interface with the Kion (cloudtamer) UI may not need to complete these steps.
Migration Overview
The following list is an overview of the migration steps. Follow the detailed instructions in the Kion-Okta Migration Checklist.
- Replace usage of ctkey with kion-cli.
- Generate a new App API key using your Okta login.
- Update all scripts and automation.
- For automation and scripting, use the Kion (cloudtamer) API directly, do not embed the kion-cli binary in repositories or pipelines. Committing binaries to source control is a security and maintenance risk.
Recommended Actions
- Set up App API key auto-rotation.
- Test all workflows before Saturday, August 1, 2026.
- Validate that all scripts, automation, and CI/CD pipelines function correctly with kion-cli and Okta-generated API keys before the AD reconfiguration takes effect.
Please see the following pages on cloud.cms.gov (CCG) for details:
Support
Do not wait until Saturday, August 1, 2026. Start your migration today to avoid disruption. For questions or concerns:
-
Slack: Contact #kion-cloudtamer-support or mention @kion-cloudtamer-team.
-
Jira: CMS Cloud Support Portal (enter Cloudtamer in the service field).
-
Hosting Coordinator: Contact your assigned Hosting Coordinator for team-level migration planning.
|
