IAM Role is used to allow snapblocs to access your cloud provider environment for deploying your stacks, collecting statistics of your stacks, etc.
Your IAM Role data is encrypted and stored on the secured AWS Systems Manager Parameter Store (not on the snapblocs system) to protect your access keys from any unauthorized access.
IAM Role is an AWS-recommended practice and provides a very secure experience as compared to IAM Keys for accessing AWS resources.
How cross-account IAM roles work
A cross-account IAM role is an IAM role that includes a trust policy that allows AWS identities in another AWS account to assume the role. Put simply, you (a customer of snapblocs) can create a role in your AWS account that delegates specific permissions to snapblocs.
Here is the overall process:
You (a customer of snapblocs) create an IAM role in your AWS account with an access policy for accessing the resources that snapblocs requires. snapblocs specifies that the role will be assumed by snapblocs AWS account by providing snapblocs AWS account ID in the trust policy for that role.
You register the Amazon Resource Name (ARN) of the role to snapblocs. The ARN is the fully qualified name of the role.
When the snapblocs SaaS application needs to access your AWS resources (for deploying your stacks or collecting running statistics), the snapblocs software calls the AssumeRole API in the AWS Security Token Service (STS) with the ARN of the role in your AWS account. STS returns a temporary AWS credential that allows snapblocs software to do its work.
Note: To run the AWS CloudFormation template for creating IAM Role, the user who creates the AWS CloudFormation stack must have an admin privilege.
Obtain the following two pieces of information:
snapblocs AWS account ID.
Your External ID, which is a unique identifier for your organization, that is generated by snapblocs.
To obtain that information:
Go to Settings menu > Provider Access tab.
Click "Add new".
Select "AWS" for a cloud provider. Next.
Select "IAM Role" for AWS access type.
Copy the values of snapblocs AWS account ID and External ID
Download the attached AWS CloudFormation template to your local file system for creating an IAM Role.
To run the CloudFormation template:
Login to your AWS account
Go to the CloudFormation Service homepage
Click the "Create Stack" button
Select the "Template is ready" option for a template
Select the "Upload a template file" option for a Template source
Click "Choose file"
Choose your downloaded CloudFormation template file from your local file system
Enter Stack name (the stack name is an identifier that helps you find a particular stack from a list of stacks). The stack name must be unique on your AWS account.
Enter External ID (Unique identifier generated by snapblocs for your AWS account) This ExternalID will be used to register your IAM Role to your snapblocs account later.
Enter MaxSessionDuration (between 3600 and 43200)
Enter OtherAccountNumber (snapblocs AWS account number)
On the Configure stack options page, you can leave all options "as is"
On the Review summary page, review all values and select an acknowledgment option
Click "Create Stack"
On the CloudFormation stack Events tab, you will see the list of Events for progress
Wait a few minutes (while clicking the refresh button) for the completion
Go to the Outputs tab
Copy the generated RoleARN
Delete the CloudFormation stack
After creating the AWS IAM Role, you can add IAM Role to your snapblocs account or projects for granting your account access to snapblocs SaaS service by sharing your IAM Role so that snapblocs can access your AWS environment to provision your stacks on your AWS account.
How to add AWS IAM Role to snapblocs
When deploying a snapblocs stack, snapblocs provisions the stack within the customer's AWS account. The stack is integrated with Amazon EKS for Kubernetes clusters using AWS EC2 instances and other AWS resources. snapblocs manages the lifecycle of ...
How to Create AWS IAM Access Keys
AWS IAM Access Key ID and Secret Access Key IAM Access Keys is used to allow snapblocs to access your cloud provider environment for deploying your stacks, collecting statistics of your stacks, etc. Your Access Key values are encrypted and stored on ...
AWS Provider Access Method
Add an AWS provider access method to snapblocs before configuring or deploying a stack. When configuring a stack, snapblocs will retrieve some AWS account information such as available VPCs, Subnets, SSH Key Pairs, etc. This information is ...
How to add AWS IAM Access Keys to snapblocs
When deploying a snapblocs stack, snapblocs provisions the stack within the customer’s AWS account. The stack is integrated with Amazon EKS for Kubernetes clusters using AWS EC2 instances and other AWS resources. snapblocs manages the lifecycle of ...
Requirements on AWS
The followings list the requirement on AWS using snapblocs. Account Requirements Amazon AWS account with AWS VPC Default VPC Or Custom VPC 2 or more public Subnets 2 or more private Subnets Able to instantiate 6 or more of t2.large EC2 instances ...