Amazon Web Services

When you try to connect AWS to Trelica you will be asked for an AWS account ID and region name. This article shows you how to find these and configure AWS to grant Trelica minimal access.

Delegated access which requires an AWS IAM role to be configured for a trusted AWS account with an external ID is AWS's recommended approach when granting access to 3rd parties. One notable benefit is it mitigates against the confused deputy problem.

In order to delegate access to your AWS account, you'll need to configure an AWS IAM role with the relevant permissions as described below.

Getting started

The first step is to Login to https://console.aws.amazon.com as a root user, or a user with the ability to create new profiles and IAM accounts.

Once you're logged in, go to the Identity and Access Management (IAM) service:

Creating a policy

When we create the new IAM role we need to assign a policy. It's easiest to create the policy first.

It's simplest to use the JSON editor.

The JSON below is a good starting point

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cognito-idp:ListUserPools",
        "cognito-idp:ListUsers",
        "connect:DescribeUser",
        "connect:ListInstances",
        "connect:ListSecurityProfiles",
        "connect:ListUsers",
        "ds:DescribeDirectories",
        "iam:ListUsers",
        "organizations:ListAccounts",
        "workspaces:DescribeWorkspaces",
        "workspaces:DescribeWorkspacesConnectionStatus",
        "workspaces:DescribeTags",
        "workspaces:StartWorkspaces",
        "workspaces:StopWorkspaces",
        "workspaces:TerminateWorkspaces"
      ],
      "Resource": "*"
    }
  ]
}

To paste this in

  1. Choose JSON
  2. Paste in your JSON (Ctrl V or ⌘ V)
  3. Click Actions
  4. Choose Optimize for readability (or size - either option will tidy the JSON)

The policy actions will depend on which AWS services you wish to grant access to. 

Service Action
Amazon Cognito

cognito-idp:ListUserPools
cognito-idp:ListUsers
Amazon Connect

connect:ListInstances
connect:ListSecurityProfiles
connect:ListUsers
connect:DescribeUser

ds:DescribeDirectories
AWS IAM iam:ListUsers
AWS Organizations organizations:ListAccounts
AWS WorkSpaces

workspaces:DescribeWorkspaces
workspaces:DescribeWorkspacesConnectionStatus
workspaces:DescribeTags

Only requried if you want to execute actions from Trelica workflows:
workspaces:StartWorkspaces
workspaces:StopWorkspaces
workspaces:TerminateWorkspaces

If you want to flip back to the Visual editor then you can fine-tune or amend the policy.

Once you are done, click Next.

Give the policy a meaningful name (e.g. 'TrelicaCognito').

There's no need add tags unless you have a specific need to do so.

Click Create policy.

Creating an AWS IAM role to delegate access to a trusted AWS account

Go to IAM > Roles and click Create role.

For Trusted entity type select AWS account.

For An AWS account select Another AWS account and input 377450845233 as the Account ID. This is Trelica's AWS account ID.

Under Options, check Require external ID and input your Trelica organization ID as the External ID, followed by clicking Next.

Finding your Trelica organization ID

You can find your Trelica organization ID by opening the profile menu at the top-right and clicking on Profile.

From the Profile page you can then copy your Organization ID from the bottom of the page. This is used as your External ID in AWS.

Assign the policy to the new role

After entering the AWS account ID and external ID and clicking Next, you're required to add permissions.

Select the Trelica policy you created earlier.

Click Next to move to the next step where you can name the role. It must be called TrelicaIntegration.

If you use a different name for the role, Trelica will not be able to connect to AWS

Click Create role.

Connecting to AWS from Trelica

Login to Trelica and find the Amazon Web Services integration under Admin > Integrations.

Click Connect, followed by inputting your AWS account ID and selecting your Region name.

Your AWS account ID can be found by opening the account menu in the top-right of AWS, followed by clicking the button next to the Account ID.

Organizaton accounts are stored globally - unless you are in a specific cloud (e.g. government) just choose US East (N. Virginia) for the Region name, but the specific Region name is important if you are connecting to some services like Amazon Connect and WorkSpaces. You will be prompted to select the instance for these services.

If you're unsure of the region you are using then navigate to the relevant service, e.g. Amazon Connect, and click on one of your instances:

Now you can see the region in the Instance ARN:

You can also check the AWS documentation about Amazon Connect regions.

Setting up and connecting using long-term access keys

Using long-term access keys is now deprecated, but if you've previously connected to AWS from Trelica, you may have used long-term access keys (which required creating an AWS IAM user for the integration to use). Trelica now recommends the previously described approach of configuring an AWS IAM role which can be used to delegate access to Trelica instead.

If you're not already using delegated access, you can disconnect and reconnect the integration in Trelica once you've completed the above setup steps.

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.