# CloudFormation

## Creating a CloudTruth Access IAM Role via CloudFormation

### Prerequisites

* [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) with an appropriate [AWS credential Access Key](https://console.aws.amazon.com/iam/home#/security_credentials)
* User-provided **`AWS_INTEGRATION_ROLE_NAME`** (IAM role that you'll create for CloudTruth to have access to AWS) for the AWS account.

{% hint style="info" %}
CloudTruth provides the required **External ID** when marking an AWS integration as Pending.

* [Parameter Store (SSM)](/configuration-management/integrations/aws/parameter-store-ssm.md)
* [S3](/configuration-management/integrations/aws/s3.md)
* [Secret Store](/configuration-management/integrations/aws/secrets-manager.md)
  {% endhint %}

#### AWS CloudTruth Integration

Before running the CloudFormation stack, you'll need to create the AWS integration. The integration will sit in a `pending` state until the CloudFormation stack is created.

Log into CloudTruth and go to **Integrations --> AWS**

Click the blue **Add AWS Account** button.

![](/files/Iqree27KBOX1ycUjwzMG)

Add in the following information:

* AWS Account ID: The ID of your organizations AWS account
* Role Name: The role name that you're going to use when running the CloudFormation template (coming up in the next section).
* Select S3, Secrets Manager, and SSM Parameter Store for CloudTruth to have access to those services in AWS.

![](/files/SWU2pwSCoplHuUFz6xhC)

Copy the `External ID` from the pending CloudTruth AWS Integration. You'll use the `External ID` in the next section when running the CloudFormation stack.

#### CloudFormation Stack Creation

The following AWS cli command will use the CloudFormation template to create an AWS Role providing CloudTruth AWS integration access with inline policies for S3, SSM, and Secrets Manager.

Execute the following [aws cloudformation create-stack](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudformation/create-stack.html) command:

* Update the `EXTERNAL_ID_FROM_CLOUDTRUTH` from the pending CloudTruth AWS account creation.
* Update the integration `AWS_INTEGRATION_ROLE_NAME` value.

```
aws cloudformation create-stack --stack-name CloudTruthIntegration \
--template-url https://cloudtruth-production-packages.s3.amazonaws.com/cloudformation/cloudtruth-access/cloudTruth_AWS_access.json \
--capabilities CAPABILITY_NAMED_IAM \
--parameters ParameterKey=CloudTruthExternalId,ParameterValue=EXTERNAL_ID_FROM_CLOUDTRUTH ParameterKey=CloudTruthRoleName,ParameterValue=AWS_INTEGRATION_ROLE_NAME
```

{% hint style="warning" %}
The `AWS_INTEGRATION_ROLE_NAME`provided must match the Role Name for the CloudTruth AWS account being created as outlined the screenshot below.
{% endhint %}

![](/files/6nvRM2Wu1dMGBKPOwvkB)

#### CloudFormation Template Repo

{% embed url="<https://github.com/cloudtruth/cloudformation-cloudtruth-access>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cloudtruth.com/configuration-management/integrations/aws/setup-aws-role/cloudformation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.