When you try to connect AWS to Trelica you will be asked for an AWS account ID and region name. This article shows you how to find these and configure AWS to grant Trelica minimal access.
Setting up the integration in Amazon Web Services
Delegated access which requires an AWS IAM role to be configured for a trusted AWS account with an external ID is AWS's recommended approach when granting access to 3rd parties. One notable benefit is it mitigates against the confused deputy problem.
In order to delegate access to your AWS account, you'll need to configure an AWS IAM role with the relevant permissions as described below:
Creating an AWS IAM role to delegate access to a trusted AWS account
Login to https://console.aws.amazon.com as a root user, or a user with the ability to create new profiles and IAM accounts.
Navigate to IAM > Roles and click Create role.
For Trusted entity type select AWS account.
For An AWS account select Another AWS account and input 377450845233
as the Account ID. This is Trelica's AWS account ID.
For Options, check Require external ID and input your Trelica organization ID as the External ID, followed by clicking Next.
Finding your external ID to be required when assuming the role
You can find your Trelica organization ID by opening the user menu and clicking on your name to navigate to your Profile page.
From the Profile page you can then copy your Organization ID from the bottom of the page, to be used as your External ID in AWS.
Creating a policy to define AWS permissions for the role
After inputting the AWS account ID and external ID and clicking Next, you're required to add permissions. For this step click Create policy.
The quickest way to get started is to use the JSON tab and to paste in a policy.
The policy actions will depend on which AWS services you wish to grant access to:
Service | Action |
---|---|
Amazon Cognito |
|
Amazon Connect |
|
AWS IAM | iam:ListUsers |
AWS Organizations | organizations:ListAccounts |
If you want to flip back to the Visual editor then you can fine-tune or amend the policy but using the supplied JSON is a good starting point:
{% code title="trelicaAwsPolicy.json" %}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-idp:ListUserPools",
"cognito-idp:ListUsers",
"connect:DescribeUser",
"connect:ListInstances",
"connect:ListSecurityProfiles",
"connect:ListUsers",
"ds:DescribeDirectories",
"iam:ListUsers",
"organizations:ListAccounts"
],
"Resource": "*"
}
]
}
{% endcode %}
Once you are done, click the Next: Tags button. There's no need add tags unless you have a specific need to do so.
Click Next: Review to move to the next step where you can name the policy. This name isn't significant to Trelica so name it as you wish.
After clicking Create policy, navigate back to creating the role where you can refresh the available policies and check the policy you have just created to assign it.
Click Next to move to the next step where you can name the role. It is important that you name the role TrelicaIntegration
. This name must be used for Trelica's integration to request access via the expected role.
Connecting to AWS from Trelica
Login to Trelica and find the Amazon Web Services integration under Admin > Integrations.
Click Connect, followed by inputting your AWS account ID and selecting your Region name.
Your AWS account ID can be found by opening the account menu in the top-right of AWS, followed by clicking the button next to the Account ID.
Organizaton accounts are stored globally - unless you are in a specific cloud (e.g. government) just choose US East (N. Virginia)
**** for the Region name, but the specific Region name is important if you are connecting to a service like Amazon Connect.
If you're unsure of the region you are using then navigate to the Amazon Connect service and click on one of your instances:
Now you can see the region in the Instance ARN:
You can also check the AWS documentation about Amazon Connect regions.
Setting up and connecting using long-term access keys
Using long-term access keys is now deprecated, but if you've previously connected to AWS from Trelica, you may have used long-term access keys (which required creating an AWS IAM user for the integration to use). Trelica now recommends the previously described approach of configuring an AWS IAM role which can be used to delegate access to Trelica instead.
If you're not already using delegated access, you can disconnect and reconnect the integration in Trelica once you've completed the above setup steps.
Comments
0 comments
Please sign in to leave a comment.