Prerequisites

This AWS integration relies on IAM Identity Center to manage access. An Identity Store must be set up before the integration can be added to Hyphen.

Setup

1. Create or sign into your Amazon Web Service account

2. Create an Organization in your Amazon Web Service account

Create Organization if one does not already exist.

3. Add Hyphen role

Open Amazon Web Service Cloud Shell
Execute the following command:

aws iam create-role --role-name=hyphen --assume-role-policy-document="{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam::640168453690:user/hyphen"]},"Action":"sts:AssumeRole","Condition":{}}]}"

You should see in the response that the role hyphen has been created and allows the Hyphen app to assume that role.

4. Add Hyphen policy

In the Amazon Web Service Cloud Shell, enter the following command:

aws iam put-role-policy --role-name=hyphen --policy-name=hyphen --policy-document="{"Version":"2012-10-17","Statement":[{"Sid":"VisualEditor0","Effect":"Allow","Action":["sso:ListPermissionSets","organizations:ListRoots","sso:CreateAccountAssignment","identitystore:ListUsers","sso:DeleteAccountAssignment","organizations:DescribeAccount","organizations:CreateAccount","identitystore:ListGroupMembershipsForMember","sso:ListAccountAssignments","organizations:ListAccounts","organizations:DescribeOrganization","identitystore:DeleteGroupMembership","identitystore:CreateGroupMembership","identitystore:DescribeGroup","organizations:DescribeOrganizationalUnit","identitystore:CreateGroup","sso:ListInstances","organizations:ListParents","identitystore:ListGroups","organizations:ListOrganizationalUnitsForParent","organizations:CreateOrganizationalUnit","sso:DescribePermissionSet","organizations:MoveAccount","organizations:DescribeCreateAccountStatus"],"Resource":"*"}]}"

You should see in the response that the policy hyphen has been created and allows the hyphen role to access the necessary resources.

5. Add Admin Permission Set

In the Amazon Web Service Console, navigate to IAM Identity Center.
In the left navigation of the IAM Identity Center, navigate to Permissions Sets.
Click Create permission set.
Select Predefined permission set as the permission set type.
Select AdministratorAccess as the policy.
Click next and confirm the permission set name is AdministratorAccess.
Click next and then click create.

6. Connect Account

Enter your AWS credentials below to complete the integration.

Configuration

Field	Type	Description
`region`	`string` (required)	AWS region provided by the user, used for future requests.
`accountId`	`string` (required)	AWS account ID provided by the user, used for future requests.
`name`	`string`	Management account name, pulled during setup for reference and display.
`identityStoreId`	`string`	Identity store ID, pulled during setup for reference and display.
`identityStoreArn`	`string`	Identity store ARN, pulled during setup for reference and display.
`permissionSetArn`	`string`	Admin permission set ARN, pulled during setup for reference and display.

Connections

Permission Group

Permission Group connections link to AWS Groups in AWS IAM Identity Center. Hyphen will automatically create a new group if a connection input is not provided.

When creating a new group, Hyphen will use the Team name.

Configuration

Field	Type	Description
`groupId`	`string`	Unique group ID in AWS, used for reference and future calls.
`instanceId`	`string`	`identityStoreId` from the integration configuration.
`groupName`	`string`	Group name in AWS, used for display.

Connection Input

Provide the AWS Group name to connect to an existing Group.

Verification

A verification email will be sent to the AWS Management Account email to verify existing groups.

Access

A User connection will be added as a member when added to the group.

Folder

Folder connections link to existing Organization Units in AWS or create a new one if none is provided.

When creating a new organization unit, the Hyphen Project name will be used as the folder name, adjusted to contain only alphanumeric characters.

Configuration

Field	Type	Description
`organizationUnitId`	`string`	Unique organization unit ID in AWS, used for reference.
`name`	`string`	Organization unit name in AWS, used for display and reference.

Connection Input

Provide the AWS organization unit ID to connect to an existing Organization Unit.

Cloud Workspace

Cloud Workspace connections link to existing AWS Accounts or create a new one if none is provided.

An AWS account relies on a Folder connection. If no Folder connection exists for the Hyphen project environment, a new Folder will be created.

A Cloud Workspace connection requires a Google Workspace or Office 365 Distribution List. If neither exists, a new one will be created.

When creating a new account, the account name will combine the Hyphen project name and environment name.

Configuration

Field	Type	Description
`accountId`	`string`	Unique account ID in AWS, used for reference and future requests.
`name`	`string`	Account name in AWS, used for display and future requests.
`parentId`	`string`	Parent folder connection `organizationUnitId`.
`email`	`string`	Account or distribution list email, used for future requests.

Connection Input

Provide the AWS account ID to connect to an existing Account.

Verification

A verification email will be sent to the AWS account email to verify existing accounts.

Smart Access

A Team connection will be added as a group when added to the account.

User

User connections link to AWS Users in AWS IAM Identity Center. Hyphen will not automatically create Users in AWS. If no connection input is provided, the Hyphen Member's email address will be used to look up the AWS User.

Configuration

Field	Type	Description
`userId`	`string`	Unique user ID in AWS.
`email`	`string`	Email in AWS.
`instanceId`	`string`	`identityStoreId` from the integration configuration.
`username`	`string`	Unique username of the User in AWS

Connection Input

Provide the username of the AWS User account to connect to an existing User.

Test Connect