AWS connection

When you create a connection to access AWS cloud resources, you must define the scope of the connection. An AWS connection can be scoped to include one or more accounts, including All accounts.

The DoiT console provides a step-by-step wizard to help you create an AWS connection.

Required permissions

To create an AWS connection, your DoiT account must have the CloudFlow Owner or CloudFlow Editor permission.

Setup

Once you have launched the wizard, you must set up the connection and specify the AWS accounts for which this connection determines permissions.

1. Sign in to the DoiT console, select Operate from the top navigation bar, and then select CloudFlow.

2. Select Connections.

3. From the left hand pane, select AWS.

4. Select Create connection.

5. In Name your new connection, enter a unique connection name that fits the usage. This connection exists in the DoiT platform and defines your users permissions to interact with the CloudFlow itself.

6. In Name your new AWS role, enter a unique role name that fits its usage. This is the AWS IAM role that the CloudFlow assumes when it executes. Its permissions are what allows the CloudFlow to perform tasks in AWS. This AWS IAM role does not have any permissions on the DoiT platform.

   

7. In Account ID, select the AWS accounts for which this connection determines permissions.

8. (Optional) Select a region for your AWS account.

9. Select + Add another account to include another AWS account with this connection.

10. When you have added and configured permissions for all the AWS accounts to include in the connection, select Next.

Permissions

Once you have setup the AWS role, you must specify the permissions for the AWS role that the CloudFlow assumes when it executes.

1. (Optional) In AWS Managed Policies, select the AWS managed policies that you want to add to this AWS role.

2. (Optional) If the CloudFlow requires additional AWS allowed actions, select + Add another allowed action to add them to the AWS role.

3. In Allowed action, enter the additional permission, for example, S3:GetObject.

   

   Repeat the steps for each additional AWS allowed action you want to add.

4. You must apply either a CloudFormation stack or Terraform file that enables the connection access to your AWS accounts.

   CloudFormation

   You must run the CloudFormation stack on each AWS account that you want to use in this connection. The CloudFormation stack only needs to be applied once. Choose how you want to create a CloudFormation stack. You can do this using the AWS console or CLI commands.

   AWS console

   1. Select Open CloudFormation stack.
   2. You'll be taken to your AWS console to create a CloudFormation stack from a template.

   CLI commands

   1. Copy the provided code block.
   2. Open AWS CloudShell.
   3. Paste the code and run the command.

   Terraform

   1. Select Terraform.
   2. Copy the provided code block into your Terraform configuration.

5. Select Next.

Access

Finally, you must set which DoiT accounts have access to this connection and are authorized to use it in a CloudFlow.

1. In Email, select the email address of a DoiT account who can use this connection.

2. In Connection access level, select the access level the DoiT account has.

3. To add another account, select + Add another user.

4. Repeat these steps for each DoiT account who can use this connection.

5. Select Done. It may take a few minutes to create your connection. Once the connection is created, you can use it in your CloudFlows.