CloudTruth Documentation
Sign InAPIIntegrationsGitHubVisit our website
  • Overview
  • Getting Started
  • Architecture
    • 🔒Security Overview
  • Copilot
  • 🏢Org management
    • Account Setup
    • Access Control
      • 🔑API Tokens
      • 🌐Protecting Projects and Environments
      • 👥Users
    • Audit Log
  • 🛠️Config Management
    • Projects
    • Parameters
      • Sharing Config Data
      • Parameter Management
        • Internal Values
          • Dynamic Values
        • External Values
          • Terraform Remote State Files
        • Parameter Override
        • Environment Value Override
      • Parameter and Parameter Value Inheritance
      • Value Comparison
      • Value History
      • Value Validation
      • Value Expiration
    • Environments and Tags
    • Templates
      • 📒Sample Templates
    • Actions
      • Import Actions
      • Push Actions
    • CLI & API
      • CloudTruth CLI
      • Rest API
    • Integrations
      • Argo CD
      • Atlassian Compass
      • AWS
        • AWS Connection
        • AWS Role
          • CloudFormation
          • Terrraform
          • AWS Console
        • Parameter Store (SSM)
        • S3
        • Secrets Manager
      • Azure Key Vault
      • Bitbucket Pipelines
      • Docker
      • Docker Compose
      • GitHub
      • GitHub Actions
      • GitLab
      • Harness
      • Jenkins
      • Kubernetes
      • Pulumi
      • Terraform
      • Terragrunt
      • Explorer
      • Circle CI
    • Events, Notifications, Webhooks
    • Types
  • 🔎REPORTING
    • Compare
    • History
    • Expirations
  • 🚀PRODUCT
    • What is CloudTruth?
    • Interactive Demo
    • Kubernetes
    • Terraform
    • CI/CD Pipeline Configuration
    • Cloud CMDB
    • Secrets Management
    • GitOps
    • Our Manifesto
    • Open Source
    • FAQs
    • Our Mission
  • 📚Reference
    • 🎓Quick Start Videos
      • What is CloudTruth?
      • CloudTruth in Action
      • Environments and Projects
      • Secrets, Parameters, ENV variables
      • Audit Logs, RBAC, SSO
      • Containers - Kubernetes, Docker
      • Infrastructure as Code (IaC) - Terraform, Cloudformation, CDK, Azure Bicep, Pulumi
      • CICD Pipelines - GitHub Actions, ArgoCD, Jenkins, CircleCI, Harness, GitLab Pipelines
      • AWS Videos - Secret Manager, Parameter Store, S3, IAM
      • Azure Videos - Azure DevOps, Azure Bicep, PowerShell
    • Knowledge Base
      • Best Practices
        • Versioned Releases
      • CLI
        • History comparison of deleted parameters with null values
      • Integrations
        • Advanced AWS IAM policy permissions
        • K8s pull image from private Docker registry
        • S3 Region Selection
      • Templates
        • Templates render quotations in key values as quot
    • Roadmap and New Features
    • JMESPath Reference
    • REST API
Powered by GitBook

Copyright© 2023 CloudTruth

On this page
  • Use CloudFormation to give CloudTruth access
  • Use Terraform to give CloudTruth access
  • Using the AWS Console to give CloudTruth access
  • Create an AWS Role
  • Inline Policies

Was this helpful?

  1. Config Management
  2. Integrations
  3. AWS

AWS Role

A guide to establishing a CloudTruth AWS Role.

PreviousAWS ConnectionNextCloudFormation

Last updated 11 months ago

Was this helpful?

In order for CloudTruth to access AWS resources, it is necessary to create a role associated with the CloudTruth Account ID as well as the associated inline policies for the desired AWS integrations.

We give you three methods for setting up your AWS role.

  • Method 1:

  • Method 2:

  • Method 3:

The CloudTruth Account ID 609878994716 is provided to AWS when creating the CloudTruth AWS role and authorizes CloudTruth to work with your AWS account. This ID is also shown as CloudTruth Account # at the top of the AWS Integrations screen within the .

Use CloudFormation to give CloudTruth access

Prerequisites

  • User-provided AWS_INTEGRATION_ROLE_NAME (IAM role that you'll create for CloudTruth to have access to AWS) for the AWS account.

CloudTruth provides the required External ID when marking an AWS integration as Pending.

AWS CloudTruth Integration

Before running the CloudFormation stack, you'll need to create the AWS integration. The integration will sit in a pending state until the CloudFormation stack is created.

Log into CloudTruth and go to Integrations --> AWS

Click the blue Add AWS Account button.

Add in the following information:

  • AWS Account ID: The ID of your organizations AWS account

  • Role Name: The role name that you're going to use when running the CloudFormation template (coming up in the next section).

  • Select S3, Secrets Manager, and SSM Parameter Store for CloudTruth to have access to those services in AWS.

Copy the External ID from the pending CloudTruth AWS Integration. You'll use the External ID in the next section when running the CloudFormation stack.

CloudFormation Stack Creation

The following AWS cli command will use the CloudFormation template to create an AWS Role providing CloudTruth AWS integration access with inline policies for S3, SSM, and Secrets Manager.

  • Update the EXTERNAL_ID_FROM_CLOUDTRUTH from the pending CloudTruth AWS account creation.

  • Update the integration AWS_INTEGRATION_ROLE_NAME value.

aws cloudformation create-stack --stack-name CloudTruthIntegration \
--template-url https://cloudtruth-production-packages.s3.amazonaws.com/cloudformation/cloudtruth-access/cloudTruth_AWS_access.json \
--capabilities CAPABILITY_NAMED_IAM \
--parameters ParameterKey=CloudTruthExternalId,ParameterValue=EXTERNAL_ID_FROM_CLOUDTRUTH ParameterKey=CloudTruthRoleName,ParameterValue=AWS_INTEGRATION_ROLE_NAME

The AWS_INTEGRATION_ROLE_NAMEprovided must match the Role Name for the CloudTruth AWS account being created as outlined the screenshot below.

CloudFormation Template Repo

Use Terraform to give CloudTruth access

Prerequisites

  • External ID from CloudTruth AWS Integration

  • User provided AWS_INTEGRATION_ROLE_NAME for the AWS account.

CloudTruth provides the required External ID when marking an AWS integration as Pending.

  • Create a working directory for Terraform

  • Create a main.tf file and copy the following code snippet.

provider "aws" {
}

module "grant_cloudtruth_access" {
  source = "github.com/cloudtruth/terraform-cloudtruth-access"

  role_name = "name-the-role-as-desired-matches-that-on-cloudtruth-integration-page"
  external_id = "generated-external-id-from-cloudtruth-integration-page"
  services_enabled = ["s3", "ssm", "secrets"]
}
  services_write_enabled = ["s3", "ssm", "secrets"]
  • Update the AWS role_name value.

  • Update the external_id from the pending CloudTruth AWS account creation.

The AWS_INTEGRATION_ROLE_NAMEprovided must match the Role Name for the CloudTruth AWS account being created as outlined the screenshot below.

  • Run terraform init.

  • Run terraform apply and provide a region.

Your CloudTruth AWS Role and selected inline policies are now configured and can be viewed in AWS IAM Roles.

Using the AWS Console to give CloudTruth access

The following steps provide a guide for creating the AWS role needed for CloudTruth access via the AWS Console.

Prerequisites

  • External ID from CloudTruth AWS Integration

  • User provided AWS_INTEGRATION_ROLE_NAME for the AWS account.

Go to the IAM console

Create an AWS Role

Click on Roles in the left navigation.

Click on Create role.

Select Another AWS Account.

Enter the CloudTruth Account ID 609878994716.

Check the option Require external ID and supply the CloudTruth Generated External ID from the pending integration setup then Click Next:Permissions.

CloudTruth provides the required External ID when marking an AWS integration as Pending.

Click Next: Tags.

Click Next: Review.

Enter the Role name that you used in the CloudTruth account setup, and click Create Role.

The AWS_INTEGRATION_ROLE_NAMEprovided must match the Role Name for the CloudTruth AWS account being created as outlined in the screenshots below.

Inline Policies

To complete setup you will create inline policies in your new IAM Role for each selected Integration.

with an appropriate

Execute the following command:

with an appropriate

The following Terraform code can be used to generate the AWS role and associated policies needed for S3 , Secrets Manager and SSM Parameter store access. See the for further customization.

To configure write access policies for add the following to the main.tf:

🛠️
AWS CLI
AWS credential Access Key
Parameter Store (SSM)
S3
Secret Store
aws cloudformation create-stack
Terraform CLI
AWS CLI
AWS credential Access Key
Parameter Store (SSM)
S3
Secret Store
module documentation
Parameter Store (SSM)
S3
Secret Store
CloudTruth application
CloudFormation
Terraform
AWS Console
GitHub - cloudtruth/cloudformation-cloudtruth-accessGitHub
https://console.aws.amazon.com/iam/home
Logo
Logo
S3
Parameter Store (SSM)
Secret Store
Push Actions