AWS
Automate your team's infrastructure and ensure resource access is automatically kept in sync with team membership.
Setup
1. Create or sign into your Amazon Web Service account
Sign in to Amazon Web Service console
or
Create a new Amazon Web Service account
2. Create an Organization in your Amazon Web Service account
Create Organization if one does not already exist.
3. Add Hyphen role
- Open Amazon Web Service Cloud Shell
- Execute the following command:
aws iam create-role --role-name=hyphen --assume-role-policy-document="{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam::640168453690:user/hyphen"]},"Action":"sts:AssumeRole","Condition":{}}]}"You should see in the response that the role hyphen has been created and allows the Hyphen app to assume that role.
4. Add Hyphen policy
In the Amazon Web Service Cloud Shell, enter the following command:
aws iam put-role-policy --role-name=hyphen --policy-name=hyphen --policy-document="{"Version":"2012-10-17","Statement":[{"Sid":"VisualEditor0","Effect":"Allow","Action":["sso:ListPermissionSets","organizations:ListRoots","sso:CreateAccountAssignment","identitystore:ListUsers","sso:DeleteAccountAssignment","organizations:DescribeAccount","organizations:CreateAccount","identitystore:ListGroupMembershipsForMember","sso:ListAccountAssignments","organizations:ListAccounts","organizations:DescribeOrganization","identitystore:DeleteGroupMembership","identitystore:CreateGroupMembership","identitystore:DescribeGroup","organizations:DescribeOrganizationalUnit","identitystore:CreateGroup","sso:ListInstances","organizations:ListParents","identitystore:ListGroups","organizations:ListOrganizationalUnitsForParent","organizations:CreateOrganizationalUnit","sso:DescribePermissionSet","organizations:MoveAccount","organizations:DescribeCreateAccountStatus"],"Resource":"*"}]}"You should see in the response that the policy hyphen has been created and allows the hyphen role to access the necessary resources.
5. Add Admin Permission Set
-
In the Amazon Web Service Console, navigate to IAM Identity Center.
-
In the left navigation of the IAM Identity Center, navigate to Permissions Sets.
-
Click Create permission set.
-
Select Predefined permission set as the permission set type.
-
Select AdministratorAccess as the policy.
-
Click next and confirm the permission set name is AdministratorAccess.
-
Click next and then click create.
6. Connect Account
- Enter your AWS credentials below to complete the integration.
Configuration
| Field | Type | Description |
|---|---|---|
region | string (required) | AWS region provided by the user, used for future requests. |
accountId | string (required) | AWS account ID provided by the user, used for future requests. |
name | string | Management account name, pulled during setup for reference and display. |
identityStoreId | string | Identity store ID, pulled during setup for reference and display. |
identityStoreArn | string | Identity store ARN, pulled during setup for reference and display. |
permissionSetArn | string | Admin permission set ARN, pulled during setup for reference and display. |
Connections
Permission Group
Permission Group connections link to existing AWS Groups or create a new group if none is provided.
When creating a new group, the name will be the Hyphen Team name.
Configuration
| Field | Type | Description |
|---|---|---|
groupId | string | Unique group ID in AWS, used for reference and future calls. |
instanceId | string | identityStoreId from the integration configuration. |
groupName | string | Group name in AWS, used for display. |
Connection Input
Provide the AWS group name to connect to an existing group.
Verification
A verification email will be sent to the account email to verify existing groups.
Access
A Member connection will be added as a member when added to the group.
Folder
Folder connections link to existing Organization Units in AWS or create a new one if none is provided.
When creating a new organization unit, the Hyphen Project name will be used as the folder name, adjusted to contain only alphanumeric characters.
Configuration
| Field | Type | Description |
|---|---|---|
organizationUnitId | string | Unique organization unit ID in AWS, used for reference. |
name | string | Organization unit name in AWS, used for display and reference. |
Connection Input
Provide the AWS organization unit ID to connect to an existing Organization Unit.
Cloud Workspace
Cloud Workspace connections link to existing AWS Accounts or create a new one if none is provided.
An AWS account relies on a Folder connection. If no Folder connection exists for the Hyphen project environment, a new Folder will be created.
A Cloud Workspace connection requires a Google Workspace or Office 365 Distribution List. If neither exists, a new one will be created.
When creating a new account, the account name will combine the Hyphen project name and environment name.
Configuration
| Field | Type | Description |
|---|---|---|
accountId | string | Unique account ID in AWS, used for reference and future requests. |
name | string | Account name in AWS, used for display and future requests. |
parentId | string | Parent folder connection organizationUnitId. |
email | string | Account or distribution list email, used for future requests. |
Connection Input
Provide the AWS account ID to connect to an existing Account.
Verification
A verification email will be sent to the AWS account email to verify existing accounts.
Access
A Team connection will be added as a group when added to the account.
User
User connections link to existing AWS Users. If no input is provided, the member email will be used to find the existing User.
Configuration
| Field | Type | Description |
|---|---|---|
userId | string | Unique user ID in AWS. |
email | string | Unique username in AWS. |
instanceId | string | identityStoreId from the integration configuration. |
Connection Input
Provide the AWS email to connect to an existing User.
Updated 5 days ago