Manually configuring an IAM Role for the AWS plugin

The recommended authentication method for the AWS plugin is IAM Role based authentication using the Create IAM Role button, which will generate the necessary credentials in AWS. However, you can choose to manually configure an IAM Role, and this article describes that process.

This configuration method requires the ARN for the Role and an External ID, specified during Role creation.

How to create an IAM Role for the AWS plugin

Create a new role

In AWS, navigate to IAM > Roles and click Create role.
Do the following on the Select trusted entity page:
1. Select AWS account from the Trusted entity type section.
2. Select the Another AWS account option from the An AWS account section and enter one of the following in the Account ID field, depending on your region:
  - US region (app.squaredup.com): 755262121079
  - European region (eu.app.squaredup.com): 674331230786
3. Select the Require external ID check box (it is recommended you use an external ID to provide additional security), then enter an ID in the External ID field. This is the value you enter when you add an AWS data source.
4. Click Next.
Do the following on the Add permissions page:
1. select the ReadonlyAccess managed policy from the Permissions policies section.
2. Click Next.
Do the following on the Name, review, and create page:
1. Enter a name for the role in the Role name field. For example, IAM_access_by_SquaredUp.
2. Enter a description for the role in the Description field.
Click Create role to complete the process.

Optional: Tighten trust policy

After creating the role, you can optionally choose to tighten the trust policy by doing the following.

Select the Role you created on the Roles page
Select the Trust relationship tab and then click Edit trust policy.

Update the Trust policy to one of the following based on the region in which you are using SquaredUp.

If you copy and paste the following code, you must replace the placeholder sts:ExternalId with the correct ExternalId.

US region (app.squaredup.com):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "755262121079"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "MySecretExternalId"
                },
                "StringLike": {
                    "aws:PrincipalArn": "arn:aws:iam::755262121079:role/*"
                }
            }
        }
    ]
}

European region (eu.app.squaredup.com):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "674331230786"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "MySecretExternalId"
                },
                "StringLike": {
                    "aws:PrincipalArn": "arn:aws:iam::674331230786:role/*"
                }
            }
        }
    ]
}

Click Update policy.

Was this article helpful?

Have more questions or facing an issue?

Submit a ticket