In order for CloudTruth to access AWS resources, it is necessary to create a role associated with the CloudTruth Account ID as well as associated policies for the desired services (S3 and/or SSM).
The CloudTruth Account ID is #811566399652. This ID is also shown as "CloudTruth Account #" at the top of the Integrations screen within the CloudTruth application. The JSON snippet contains the trust relationship policy that allows the CloudTruth system to assume the role you create within your AWS account. Note that you'll have to supply the ExternalId qualifier supplied during setup on the CloudTruth integration page.
{"Version": "2012-10-17","Statement": [{"Sid": "AllowCloudtruthToAssumeRole","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::811566399652:root"},"Action": "sts:AssumeRole","Condition": {"StringEquals": {"sts:ExternalId": "GENERATED-EXTERNAL-ID-FROM-CLOUDTRUTH-INTEGRATION-PAGE"}}}]}
This JSON snippet contains the policy needed to grant CloudTruth access to S3 buckets.
{"Version": "2012-10-17","Statement": [{"Sid": "BucketSelection","Action": ["s3:ListAllMyBuckets"],"Effect": "Allow","Resource": "*"},{"Sid": "BucketAccess","Action": ["s3:GetBucketLocation","s3:ListBucket","s3:GetObject"],"Effect": "Allow","Resource": "*"}]}
The JSON snippet contains the policy needed to grant CloudTruth access to SSM Parameter Store.
{"Version": "2012-10-17","Statement": [{"Sid": "ParameterAccess","Action": ["ssm:DescribeParameters","ssm:GetParameter","ssm:GetParameters","ssm:GetParametersByPath"],"Effect": "Allow","Resource": "*"}]}
The following steps provide a guide for creating the role and policy needed for CloudTruth access via the AWS Console.
βhttps://console.aws.amazon.com/iam/homeβ
Click on Roles in the left navigation
Click on Create role
Choose βAnother AWS Accountβ
Type in the CloudTruth Account ID. Check "Require external ID..." and supply the external ID generated during the CloudTruth AWS integration setup, then click Next:Permissions
Click Next: Review
Type in the Role name that you used in the CloudTruth account setup, and click Create Role
Click the role that was created for CloudTruth access
Click add Inline Policy
Click JSON Tab
Paste in the JSON policy (at the top of this page) and click Review Policy
Type in a name for the policy and click Create Policy
Setup is now complete for both Roles and Policies. If you've created an AWS integration within CloudTruth, it should now show a "Connected" status, and you can begin creating Parameter values that reference your AWS resources.
The following Terraform code can be used to generate the role and associated policies needed for both S3 and SSM Parameter store access. See the module documentation for further customization.
module "grant-cloudtruth-access" {source = "github.com/cloudtruth/terraform-cloudtruth-access"βrole_name = "name-the-role-as-desired-matches-that-on-cloudtruth-integration-page"external_id = "generated-external-id-from-cloudtruth-integration-page"}ββ