AWS Role

In order for CloudTruth to access AWS resources, it is necessary to create a role associated with the CloudTruth Account ID as well as the associated inline policies for the desired AWS integrations.

We give you three methods for setting up your AWS role.

• Method 1:

• Method 2:

• Method 3:

The CloudTruth Account ID 609878994716 is provided to AWS when creating the CloudTruth AWS role and authorizes CloudTruth to work with your AWS account. This ID is also shown as CloudTruth Account # at the top of the AWS Integrations screen within the .

Use CloudFormation to give CloudTruth access

Prerequisites

• User-provided AWS_INTEGRATION_ROLE_NAME (IAM role that you'll create for CloudTruth to have access to AWS) for the AWS account.

AWS CloudTruth Integration

Before running the CloudFormation stack, you'll need to create the AWS integration. The integration will sit in a pending state until the CloudFormation stack is created.

Log into CloudTruth and go to Integrations --> AWS

Click the blue Add AWS Account button.

Add in the following information:

• AWS Account ID: The ID of your organizations AWS account

• Role Name: The role name that you're going to use when running the CloudFormation template (coming up in the next section).

• Select S3, Secrets Manager, and SSM Parameter Store for CloudTruth to have access to those services in AWS.

Copy the External ID from the pending CloudTruth AWS Integration. You'll use the External ID in the next section when running the CloudFormation stack.

CloudFormation Stack Creation

The following AWS cli command will use the CloudFormation template to create an AWS Role providing CloudTruth AWS integration access with inline policies for S3, SSM, and Secrets Manager.

• Update the EXTERNAL_ID_FROM_CLOUDTRUTH from the pending CloudTruth AWS account creation.

• Update the integration AWS_INTEGRATION_ROLE_NAME value.

aws cloudformation create-stack --stack-name CloudTruthIntegration \
--template-url https://cloudtruth-production-packages.s3.amazonaws.com/cloudformation/cloudtruth-access/cloudTruth_AWS_access.json \
--capabilities CAPABILITY_NAMED_IAM \
--parameters ParameterKey=CloudTruthExternalId,ParameterValue=EXTERNAL_ID_FROM_CLOUDTRUTH ParameterKey=CloudTruthRoleName,ParameterValue=AWS_INTEGRATION_ROLE_NAME

CloudFormation Template Repo

Use Terraform to give CloudTruth access

Prerequisites

• External ID from CloudTruth AWS Integration

• User provided AWS_INTEGRATION_ROLE_NAME for the AWS account.

• Create a working directory for Terraform

• Create a main.tf file and copy the following code snippet.

provider "aws" {
}

module "grant_cloudtruth_access" {
  source = "github.com/cloudtruth/terraform-cloudtruth-access"

  role_name = "name-the-role-as-desired-matches-that-on-cloudtruth-integration-page"
  external_id = "generated-external-id-from-cloudtruth-integration-page"
  services_enabled = ["s3", "ssm", "secrets"]
}

  services_write_enabled = ["s3", "ssm", "secrets"]

• Update the AWS role_name value.

• Update the external_id from the pending CloudTruth AWS account creation.

• Run terraform init.

• Run terraform apply and provide a region.

Using the AWS Console to give CloudTruth access

The following steps provide a guide for creating the AWS role needed for CloudTruth access via the AWS Console.

Prerequisites

• External ID from CloudTruth AWS Integration

• User provided AWS_INTEGRATION_ROLE_NAME for the AWS account.

Go to the IAM console

Create an AWS Role

Click on Roles in the left navigation.

Click on Create role.

Select Another AWS Account.

Enter the CloudTruth Account ID 609878994716.

Check the option Require external ID and supply the CloudTruth Generated External ID from the pending integration setup then Click Next:Permissions.

Click Next: Tags.

Click Next: Review.

Enter the Role name that you used in the CloudTruth account setup, and click Create Role.

Inline Policies