Authenticating to AWS from System Initiative
System Initiative provides a number of ways to authenticate to AWS.
Static Credentials
If you have generated static access keys for a user then you can set AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
directly in the AWS Credential
asset.
AWS SSO Credentials
If you have generated credentials via the command aws sso login
then you can set AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
and AWS_SESSION_TOKEN
directly in the AWS Credential
asset.
Assuming a Role
System Initiative has an AWS account dedicated to be able to assume a role in your organization. It has a single user in the account with permissions to do nothing except assume roles in other accounts. The ARN of the user is arn:aws:iam::058264381944:user/si-access-prod-manager
.
Every workspace has a unique token assigned to it at creation. It is accessible from within your workspace via the gear icon in the upper right. Please treat this as a secret.
You can create a role using the token and the arn above, with a trust relationship as below and attach any required permissions you want to give the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS":"arn:aws:iam::058264381944:user/si-access-prod-manager"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "YOUR WORKSPACE TOKEN"
}
}
}
]
}
Take the arn of the role that you created and set that in the AssumeRole
field in the AWS Credential asset. You don’t need to set an access key or a secret access key. You can ensure it works by putting an AWS Credential on the asset, selecting the secret you created and it will validate your credentials.