Assets for Setting up AWS Role

A guide to establishing an AWS Role and Policy for use with CloudTruth.

In order for CloudTruth to access AWS resources, it is necessary to create a role associated with the CloudTruth Account ID as well as associated policies for the desired services (S3 and/or SSM).

Trusted Entity AWS Account ID

The CloudTruth Account ID is #811566399652. This ID is also shown as "CloudTruth Account #" at the top of the Integrations screen within the CloudTruth application. The JSON snippet contains the trust relationship policy that allows the CloudTruth system to assume the role you create within your AWS account. Note that you'll have to supply the ExternalId qualifier supplied during setup on the CloudTruth integration page.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudtruthToAssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::811566399652:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "GENERATED-EXTERNAL-ID-FROM-CLOUDTRUTH-INTEGRATION-PAGE"
}
}
}
]
}

AWS S3 Policy

This JSON snippet contains the policy needed to grant CloudTruth access to S3 buckets.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketSelection",
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "BucketAccess",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "*"
}
]
}

AWS SSM Parameter Store Policy

The JSON snippet contains the policy needed to grant CloudTruth access to SSM Parameter Store.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ParameterAccess",
"Action": [
"ssm:DescribeParameters",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Effect": "Allow",
"Resource": "*"
}
]
}

Using the AWS Console to give CloudTruth access

The following steps provide a guide for creating the role and policy needed for CloudTruth access via the AWS Console.

Go to the IAM console

โ€‹https://console.aws.amazon.com/iam/homeโ€‹

Create a Role

Click on Roles in the left navigation

Click on Create role

Choose โ€œAnother AWS Accountโ€

Type in the CloudTruth Account ID. Check "Require external ID..." and supply the external ID generated during the CloudTruth AWS integration setup, then click Next:Permissions

Click Next: Review

Type in the Role name that you used in the CloudTruth account setup, and click Create Role

Add a policy to the Role

Click the role that was created for CloudTruth access

Click add Inline Policy

Click JSON Tab

Paste in the JSON policy (at the top of this page) and click Review Policy

Type in a name for the policy and click Create Policy

Setup is now complete for both Roles and Policies. If you've created an AWS integration within CloudTruth, it should now show a "Connected" status, and you can begin creating Parameter values that reference your AWS resources.

Use Terraform to give CloudTruth access

The following Terraform code can be used to generate the role and associated policies needed for both S3 and SSM Parameter store access. See the module documentation for further customization.

module "grant-cloudtruth-access" {
source = "github.com/cloudtruth/terraform-cloudtruth-access"
โ€‹
role_name = "name-the-role-as-desired-matches-that-on-cloudtruth-integration-page"
external_id = "generated-external-id-from-cloudtruth-integration-page"
}
โ€‹
โ€‹