Setting up an AWS Role

A guide to establishing a CloudTruth AWS Role.

In order for CloudTruth to access AWS resources, it is necessary to create a role associated with the CloudTruth Account ID as well as the associated inline policies for the desired AWS integrations.

We give you three methods for setting up your AWS role.

Method 1: CloudFormation
Method 2: Terraform
Method 3: AWS Console

The CloudTruth Account ID 609878994716 is provided to AWS when creating the CloudTruth AWS role and authorizes CloudTruth to work with your AWS account. This ID is also shown as CloudTruth Account # at the top of the AWS Integrations screen within the CloudTruth application.

Use CloudFormation to give CloudTruth access

Prerequisites

AWS CLI with an appropriate AWS credential Access Key
User-provided AWS_INTEGRATION_ROLE_NAME (IAM role that you'll create for CloudTruth to have access to AWS) for the AWS account.

CloudTruth provides the required External ID when marking an AWS integration as Pending.

AWS CloudTruth Integration

Before running the CloudFormation stack, you'll need to create the AWS integration. The integration will sit in a pending state until the CloudFormation stack is created.

Log into CloudTruth and go to Integrations --> AWS

Click the blue Add AWS Account button.

Add in the following information:

AWS Account ID: The ID of your organizations AWS account
Role Name: The role name that you're going to use when running the CloudFormation template (coming up in the next section).
Select S3, Secrets Manager, and SSM Parameter Store for CloudTruth to have access to those services in AWS.

Copy the External ID from the pending CloudTruth AWS Integration. You'll use the External ID in the next section when running the CloudFormation stack.

CloudFormation Stack Creation

The following AWS cli command will use the CloudFormation template to create an AWS Role providing CloudTruth AWS integration access with inline policies for S3, SSM, and Secrets Manager.

Execute the following aws cloudformation create-stack command:

Update the EXTERNAL_ID_FROM_CLOUDTRUTH from the pending CloudTruth AWS account creation.
Update the integration AWS_INTEGRATION_ROLE_NAME value.

aws cloudformation create-stack --stack-name CloudTruthIntegration \
--template-url https://cloudtruth-production-packages.s3.amazonaws.com/cloudformation/cloudtruth-access/cloudTruth_AWS_access.json \
--capabilities CAPABILITY_NAMED_IAM \
--parameters ParameterKey=CloudTruthExternalId,ParameterValue=EXTERNAL_ID_FROM_CLOUDTRUTH ParameterKey=CloudTruthRoleName,ParameterValue=AWS_INTEGRATION_ROLE_NAME

The AWS_INTEGRATION_ROLE_NAMEprovided must match the Role Name for the CloudTruth AWS account being created as outlined the screenshot below.

CloudFormation Template Repo

GitHub - cloudtruth/cloudformation-cloudtruth-accessGitHub

Use Terraform to give CloudTruth access

Prerequisites

Terraform CLI
AWS CLI with an appropriate AWS credential Access Key
External ID from CloudTruth AWS Integration
User provided AWS_INTEGRATION_ROLE_NAME for the AWS account.

CloudTruth provides the required External ID when marking an AWS integration as Pending.

The following Terraform code can be used to generate the AWS role and associated policies needed for S3 , Secrets Manager and SSM Parameter store access. See the module documentation for further customization.

Create a working directory for Terraform
Create a main.tf file and copy the following code snippet.

provider "aws" {
}

module "grant_cloudtruth_access" {
  source = "github.com/cloudtruth/terraform-cloudtruth-access"

  role_name = "name-the-role-as-desired-matches-that-on-cloudtruth-integration-page"
  external_id = "generated-external-id-from-cloudtruth-integration-page"
  services_enabled = ["s3", "ssm", "secrets"]
}

To configure write access policies for Push Actions add the following to the main.tf:

  services_write_enabled = ["s3", "ssm", "secrets"]

Update the AWS role_name value.
Update the external_id from the pending CloudTruth AWS account creation.

The AWS_INTEGRATION_ROLE_NAMEprovided must match the Role Name for the CloudTruth AWS account being created as outlined the screenshot below.

Run terraform init.
Run terraform apply and provide a region.

Your CloudTruth AWS Role and selected inline policies are now configured and can be viewed in AWS IAM Roles.

Using the AWS Console to give CloudTruth access

The following steps provide a guide for creating the AWS role needed for CloudTruth access via the AWS Console.

Prerequisites

External ID from CloudTruth AWS Integration
User provided AWS_INTEGRATION_ROLE_NAME for the AWS account.

Go to the IAM console

https://console.aws.amazon.com/iam/home

Create an AWS Role

Click on Roles in the left navigation.

Click on Create role.

Select Another AWS Account.

Enter the CloudTruth Account ID 609878994716.

Check the option Require external ID and supply the CloudTruth Generated External ID from the pending integration setup then Click Next:Permissions.

CloudTruth provides the required External ID when marking an AWS integration as Pending.

Click Next: Tags.

Click Next: Review.

Enter the Role name that you used in the CloudTruth account setup, and click Create Role.

The AWS_INTEGRATION_ROLE_NAMEprovided must match the Role Name for the CloudTruth AWS account being created as outlined in the screenshots below.

Inline Policies

To complete setup you will create inline policies in your new IAM Role for each selected Integration.

PreviousAWS NextParameter Store (SSM)

Last updated 8 months ago