AWS
Automate your team's infrastructure and ensure resource access is automatically kept in sync with team membership.
Prerequisites
This AWS integration relies on IAM Identity Center to manage access. An Identity Store must be set up before the integration can be added to Hyphen.
Setup
1. Create or sign into your Amazon Web Service account
Sign in to Amazon Web Service console
or
Create a new Amazon Web Service account
2. Create an Organization in your Amazon Web Service account
Create Organization if one does not already exist.
3. Add Hyphen role
- Open Amazon Web Service Cloud Shell
- Execute the following command:
aws iam create-role --role-name=hyphen --assume-role-policy-document="{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam::640168453690:user/hyphen"]},"Action":"sts:AssumeRole","Condition":{}}]}"
You should see in the response that the role hyphen
has been created and allows the Hyphen app to assume that role.
4. Add Hyphen policy
In the Amazon Web Service Cloud Shell, enter the following command:
aws iam put-role-policy --role-name=hyphen --policy-name=hyphen --policy-document="{"Version":"2012-10-17","Statement":[{"Sid":"VisualEditor0","Effect":"Allow","Action":["sso:ListPermissionSets","organizations:ListRoots","sso:CreateAccountAssignment","identitystore:ListUsers","sso:DeleteAccountAssignment","organizations:DescribeAccount","organizations:CreateAccount","identitystore:ListGroupMembershipsForMember","sso:ListAccountAssignments","organizations:ListAccounts","organizations:DescribeOrganization","identitystore:DeleteGroupMembership","identitystore:CreateGroupMembership","identitystore:DescribeGroup","organizations:DescribeOrganizationalUnit","identitystore:CreateGroup","sso:ListInstances","organizations:ListParents","identitystore:ListGroups","organizations:ListOrganizationalUnitsForParent","organizations:CreateOrganizationalUnit","sso:DescribePermissionSet","organizations:MoveAccount","organizations:DescribeCreateAccountStatus"],"Resource":"*"}]}"
You should see in the response that the policy hyphen
has been created and allows the hyphen
role to access the necessary resources.
5. Add Admin Permission Set
-
In the Amazon Web Service Console, navigate to IAM Identity Center.
-
In the left navigation of the IAM Identity Center, navigate to Permissions Sets.
-
Click Create permission set.
-
Select Predefined permission set as the permission set type.
-
Select AdministratorAccess as the policy.
-
Click next and confirm the permission set name is AdministratorAccess.
-
Click next and then click create.
6. Connect Account
- Enter your AWS credentials below to complete the integration.
Configuration
Field | Type | Description |
---|---|---|
region | string (required) | AWS region provided by the user, used for future requests. |
accountId | string (required) | AWS account ID provided by the user, used for future requests. |
name | string | Management account name, pulled during setup for reference and display. |
identityStoreId | string | Identity store ID, pulled during setup for reference and display. |
identityStoreArn | string | Identity store ARN, pulled during setup for reference and display. |
permissionSetArn | string | Admin permission set ARN, pulled during setup for reference and display. |
Connections
Permission Group
Permission Group connections link to AWS Groups in AWS IAM Identity Center. Hyphen will automatically create a new group if a connection input is not provided.
When creating a new group, Hyphen will use the Team name.
Configuration
Field | Type | Description |
---|---|---|
groupId | string | Unique group ID in AWS, used for reference and future calls. |
instanceId | string | identityStoreId from the integration configuration. |
groupName | string | Group name in AWS, used for display. |
Connection Input
Provide the AWS Group name to connect to an existing Group.
Verification
A verification email will be sent to the AWS Management Account email to verify existing groups.
Access
A User connection will be added as a member when added to the group.
Folder
Folder connections link to existing Organization Units in AWS or create a new one if none is provided.
When creating a new organization unit, the Hyphen Project name will be used as the folder name, adjusted to contain only alphanumeric characters.
Configuration
Field | Type | Description |
---|---|---|
organizationUnitId | string | Unique organization unit ID in AWS, used for reference. |
name | string | Organization unit name in AWS, used for display and reference. |
Connection Input
Provide the AWS organization unit ID to connect to an existing Organization Unit.
Cloud Workspace
Cloud Workspace connections link to existing AWS Accounts or create a new one if none is provided.
An AWS account relies on a Folder connection. If no Folder connection exists for the Hyphen project environment, a new Folder will be created.
A Cloud Workspace connection requires a Google Workspace or Office 365 Distribution List. If neither exists, a new one will be created.
When creating a new account, the account name will combine the Hyphen project name and environment name.
Configuration
Field | Type | Description |
---|---|---|
accountId | string | Unique account ID in AWS, used for reference and future requests. |
name | string | Account name in AWS, used for display and future requests. |
parentId | string | Parent folder connection organizationUnitId . |
email | string | Account or distribution list email, used for future requests. |
Connection Input
Provide the AWS account ID to connect to an existing Account.
Verification
A verification email will be sent to the AWS account email to verify existing accounts.
Smart Access
A Team connection will be added as a group when added to the account.
User
User connections link to AWS Users in AWS IAM Identity Center. Hyphen will not automatically create Users in AWS. If no connection input is provided, the Hyphen Member's email address will be used to look up the AWS User.
Configuration
Field | Type | Description |
---|---|---|
userId | string | Unique user ID in AWS. |
email | string | Email in AWS. |
instanceId | string | identityStoreId from the integration configuration. |
username | string | Unique username of the User in AWS |
Connection Input
Provide the username of the AWS User account to connect to an existing User.
Updated 4 days ago