AWS Agent
Last updated
Was this helpful?
Last updated
Was this helpful?
AWS agent can be used to manage AWS infrastructure using plain english commands. It does not require storing any short / long term credentials.
You will need to configure MechCloud IdP as an identity provider in AWS in order to make this integration work without AWS API credentials.
Go to IAM -> Identity providers and click on Add provider button to add an OIDC identity provider with following details -
Provider URL
Audience
n6dMQlo8ZCE5QxLY4o2KjeBaSn8eefTX
Now assign an IAM role to the newly added OIDC provider by following below instructions -
Go to IAM -> Identity providers and click on the provider created in the previous section.
Click on Assign role button.
Select Create a new role radio button.
Select following details on the next page and click on Next button -
Select permissions policies (e.g. AmazonEC2ReadOnlyAccess) on the next page which you want to assign to this role and click on the Next button.
Specify MechCloudWebIdentityRole (or any other name) under Role name on the next page and click on Create role button to create the role. Make sure you replace MechCloudWebIdentityRole in following steps if you decide to use a different name for this role.
(IMPORTANT) Make sure that you specify a condition under the Trust relationships tab of MechCloudWebIdentityRole role as shown in the below image so that only users with specific email ids can assume this role. In the absence of this condition, any user who is logged into MechCloud and knows your AWS account number and the role name will be able to assume this role on your AWS account which can result in unexpected charges if you have assigned permissions to provision AWS resources to this role.
(IMPORTANT) Also, make sure to revoke existing sessions whenever you remove a user from the condition highlighted above. This will block the access for those users who were removed from the above condition but still have a valid session token.