IAM Role configuration for the AWS plugin

When adding a data source to SquaredUp for the AWS plugin, you have the option to authenticate by providing an AWS IAM Role inside of your account which the plugin will assume during operation. This allows access to be granted without the creation of a user or user secrets. This configuration method requires the ARN for the Role and an External ID, specified during Role creation.

How to create an IAM Role for the AWS plugin

Loom video thumbnail

Create a new role

  1. In AWS, navigate to IAM > Roles and click Create role.
  2. Do the following on the Select trusted entity page:
    1. Select AWS account from the Trusted entity type section.
    2. Select the Another AWS account option from the An AWS account section and enter one of the following in the Account ID field, depending on your region:
      • US region (app.squaredup.com): 755262121079
      • European region (eu.app.squaredup.com): 674331230786
    3. Select the Require external ID check box (it is recommended you use an external ID to provide additional security), then enter an ID in the External ID field. This is the value you enter when you add an AWS data source.
    4. Click Next.
  3. Do the following on the Add permissions page:
    1. select the ReadonlyAccess managed policy from the Permissions policies section.
    2. Click Next.
  4. Do the following on the Name, review, and create page:
    1. Enter a name for the role in the Role name field. For example, IAM_access_by_SquaredUp.
    2. Enter a description for the role in the Description field.
  5. Click Create role to complete the process.

Optional: Tighten trust policy

After creating the role, you can optionally choose to tighten the trust policy by doing the following.

  1. Select the Role you created on the Roles page
  2. Select the Trust relationship tab and then click Edit trust policy.
  3. Update the Trust policy to one of the following based on the region in which you are using SquaredUp.

    If you copy and paste the following code, you must replace the placeholder sts:ExternalId with the correct ExternalId.

    • US region (app.squaredup.com):
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": "755262121079"
                  },
                  "Action": "sts:AssumeRole",
                  "Condition": {
                      "StringEquals": {
                          "sts:ExternalId": "MySecretExternalId"
                      },
                      "StringLike": {
                          "aws:PrincipalArn": "arn:aws:iam::755262121079:role/*"
                      }
                  }
              }
          ]
      }
    • European region (eu.app.squaredup.com):
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": "674331230786"
                  },
                  "Action": "sts:AssumeRole",
                  "Condition": {
                      "StringEquals": {
                          "sts:ExternalId": "MySecretExternalId"
                      },
                      "StringLike": {
                          "aws:PrincipalArn": "arn:aws:iam::674331230786:role/*"
                      }
                  }
              }
          ]
      }
  4. Click Update policy.

Was this article helpful?


Have more questions or facing an issue?