Setting up an AWS Role
A guide to establishing a CloudTruth AWS Role.
In order for CloudTruth to access AWS resources, it is necessary to create a role associated with the CloudTruth Account ID as well as the associated inline policies for the desired AWS integrations.
We give you three methods for setting up your AWS role.
The CloudTruth Account ID
609878994716
is provided to AWS when creating the CloudTruth AWS role and authorizes CloudTruth to work with your AWS account. This ID is also shown as CloudTruth Account #
at the top of the AWS Integrations screen within the CloudTruth application.
.jpg?alt=media)
- User-provided
AWS_INTEGRATION_ROLE_NAME
(IAM role that you'll create for CloudTruth to have access to AWS) for the AWS account.
CloudTruth provides the required External ID when marking an AWS integration as Pending.
Before running the CloudFormation stack, you'll need to create the AWS integration. The integration will sit in a
pending
state until the CloudFormation stack is created.Log into CloudTruth and go to Integrations --> AWS
Click the blue Add AWS Account button.

Add in the following information:
- AWS Account ID: The ID of your organizations AWS account
- Role Name: The role name that you're going to use when running the CloudFormation template (coming up in the next section).
- Select S3, Secrets Manager, and SSM Parameter Store for CloudTruth to have access to those services in AWS.

Copy the
External ID
from the pending CloudTruth AWS Integration. You'll use the External ID
in the next section when running the CloudFormation stack.The following AWS cli command will use the CloudFormation template to create an AWS Role providing CloudTruth AWS integration access with inline policies for S3, SSM, and Secrets Manager.
- Update the
EXTERNAL_ID_FROM_CLOUDTRUTH
from the pending CloudTruth AWS account creation. - Update the integration
AWS_INTEGRATION_ROLE_NAME
value.
aws cloudformation create-stack --stack-name CloudTruthIntegration \
--template-url https://cloudtruth-production-packages.s3.amazonaws.com/cloudformation/cloudtruth-access/cloudTruth_AWS_access.json \
--capabilities CAPABILITY_NAMED_IAM \
--parameters ParameterKey=CloudTruthExternalId,ParameterValue=EXTERNAL_ID_FROM_CLOUDTRUTH ParameterKey=CloudTruthRoleName,ParameterValue=AWS_INTEGRATION_ROLE_NAME
The
AWS_INTEGRATION_ROLE_NAME
provided must match the Role Name for the CloudTruth AWS account being created as outlined the screenshot below..png?alt=media)
External ID
from CloudTruth AWS Integration- User provided
AWS_INTEGRATION_ROLE_NAME
for the AWS account.
CloudTruth provides the required External ID when marking an AWS integration as Pending.
The following Terraform code can be used to generate the AWS role and associated policies needed for S3 , Secrets Manager and SSM Parameter store access. See the module documentation for further customization.
- Create a working directory for Terraform
- Create a
main.tf
file and copy the following code snippet.
provider "aws" {
}
module "grant_cloudtruth_access" {
source = "github.com/cloudtruth/terraform-cloudtruth-access"
role_name = "name-the-role-as-desired-matches-that-on-cloudtruth-integration-page"
external_id = "generated-external-id-from-cloudtruth-integration-page"
services_enabled = ["s3", "ssm", "secrets"]
}
services_write_enabled = ["s3", "ssm", "secrets"]
- Update the AWS
role_name
value. - Update the
external_id
from the pending CloudTruth AWS account creation.
The
AWS_INTEGRATION_ROLE_NAME
provided must match the Role Name for the CloudTruth AWS account being created as outlined the screenshot below..png?alt=media)
- Run
terraform init
. - Run
terraform apply
and provide a region.
Your CloudTruth AWS Role and selected inline policies are now configured and can be viewed in AWS IAM Roles.
The following steps provide a guide for creating the AWS role needed for CloudTruth access via the AWS Console.
External ID
from CloudTruth AWS Integration- User provided
AWS_INTEGRATION_ROLE_NAME
for the AWS account.
Click on
Roles
in the left navigation.
Click on
Create role
..png?alt=media)
Select
Another AWS Account
.Enter the CloudTruth Account ID
609878994716
.Check the option
Require external ID
and supply the CloudTruth Generated External ID
from the pending integration setup then Click Next:Permissions
.CloudTruth provides the required External ID when marking an AWS integration as Pending.
.jpg?alt=media)
Click
Next: Tags
..png?alt=media)
Click
Next: Review
.
Enter the Role name that you used in the CloudTruth account setup, and click
Create Role
.The
AWS_INTEGRATION_ROLE_NAME
provided must match the Role Name for the CloudTruth AWS account being created as outlined in the screenshots below..jpg?alt=media)

To complete setup you will create inline policies in your new IAM Role for each selected Integration.
Last modified 1mo ago