AWS Role
A guide to establishing a CloudTruth AWS Role.
Last updated
A guide to establishing a CloudTruth AWS Role.
Last updated
Copyright© 2023 CloudTruth
In order for CloudTruth to access AWS resources, it is necessary to create a role associated with the CloudTruth Account ID as well as the associated inline policies for the desired AWS integrations.
We give you three methods for setting up your AWS role.
Method 1: CloudFormation
Method 2: Terraform
Method 3: AWS Console
The CloudTruth Account ID 609878994716
is provided to AWS when creating the CloudTruth AWS role and authorizes CloudTruth to work with your AWS account. This ID is also shown as CloudTruth Account #
at the top of the AWS Integrations screen within the CloudTruth application.
AWS CLI with an appropriate AWS credential Access Key
User-provided AWS_INTEGRATION_ROLE_NAME
(IAM role that you'll create for CloudTruth to have access to AWS) for the AWS account.
CloudTruth provides the required External ID when marking an AWS integration as Pending.
Before running the CloudFormation stack, you'll need to create the AWS integration. The integration will sit in a pending
state until the CloudFormation stack is created.
Log into CloudTruth and go to Integrations --> AWS
Click the blue Add AWS Account button.
Add in the following information:
AWS Account ID: The ID of your organizations AWS account
Role Name: The role name that you're going to use when running the CloudFormation template (coming up in the next section).
Select S3, Secrets Manager, and SSM Parameter Store for CloudTruth to have access to those services in AWS.
Copy the External ID
from the pending CloudTruth AWS Integration. You'll use the External ID
in the next section when running the CloudFormation stack.
The following AWS cli command will use the CloudFormation template to create an AWS Role providing CloudTruth AWS integration access with inline policies for S3, SSM, and Secrets Manager.
Execute the following aws cloudformation create-stack command:
Update the EXTERNAL_ID_FROM_CLOUDTRUTH
from the pending CloudTruth AWS account creation.
Update the integration AWS_INTEGRATION_ROLE_NAME
value.
The AWS_INTEGRATION_ROLE_NAME
provided must match the Role Name for the CloudTruth AWS account being created as outlined the screenshot below.
AWS CLI with an appropriate AWS credential Access Key
External ID
from CloudTruth AWS Integration
User provided AWS_INTEGRATION_ROLE_NAME
for the AWS account.
CloudTruth provides the required External ID when marking an AWS integration as Pending.
The following Terraform code can be used to generate the AWS role and associated policies needed for S3 , Secrets Manager and SSM Parameter store access. See the module documentation for further customization.
Create a working directory for Terraform
Create a main.tf
file and copy the following code snippet.
To configure write access policies for Push Actions add the following to the main.tf:
Update the AWS role_name
value.
Update the external_id
from the pending CloudTruth AWS account creation.
The AWS_INTEGRATION_ROLE_NAME
provided must match the Role Name for the CloudTruth AWS account being created as outlined the screenshot below.
Run terraform init
.
Run terraform apply
and provide a region.
Your CloudTruth AWS Role and selected inline policies are now configured and can be viewed in AWS IAM Roles.
The following steps provide a guide for creating the AWS role needed for CloudTruth access via the AWS Console.
External ID
from CloudTruth AWS Integration
User provided AWS_INTEGRATION_ROLE_NAME
for the AWS account.
Click on Roles
in the left navigation.
Click on Create role
.
Select Another AWS Account
.
Enter the CloudTruth Account ID 609878994716
.
Check the option Require external ID
and supply the CloudTruth Generated External ID
from the pending integration setup then Click Next:Permissions
.
CloudTruth provides the required External ID when marking an AWS integration as Pending.
Click Next: Tags
.
Click Next: Review
.
Enter the Role name that you used in the CloudTruth account setup, and click Create Role
.
The AWS_INTEGRATION_ROLE_NAME
provided must match the Role Name for the CloudTruth AWS account being created as outlined in the screenshots below.
To complete setup you will create inline policies in your new IAM Role for each selected Integration.