Connect an AWS account
Microtica provisions infrastructure on your own AWS account. In order to enable Microtica to manage cloud resources, you need to connect your AWS account and grant the proper access permissions.
Microtica authenticates with your AWS account by using AWS STS assume role service to generate temporary access tokens. Generated tokens are then used in every subsequent call to your account.
Connect your AWS account in two steps:
- Create cross-account role
- Connect AWS account
If you like to quickly establish the access then login into your AWS account and follow this link.
The link will redirect you to the CloudFormation page and ask you for the External ID parameter. Enter some secret value in this field and remember it for later.
To create a cross-account role you need to first login into the AWS console. Follow the steps below to establish access between Microtica and your AWS account.
- Go to IAM service
- Choose Create role
- Choose Another AWS account from the list of trusted entity type
- For Account ID add 652222714481.
- For External ID add some secret value and remember it for later. Go to next.
- From the list of policies, select the ones that you intend to use. For example, if you plan on creating a Kubernetes cluster you should enable permissions for EKS and EC2 for Kubernetes nodes. You can also create a custom policy with more narrow permissions. To be able to use Microtica's ready-made templates and infrastructure components, add the following access policy:
- Choose the newly created policy from the list and go to Next
- Enter the role name of your choice
- Once the role is created we need to configure the role’s trusted relationships. Choose the newly created role and go to Trust relationships. Before you add the policy defined below, replace <EXTERNAL_ID> with the secret you have chosen while creating the role:
Least privileges
It’s a best practice to always follow principle of least privileges. Start by giving Microtica least privileges and then expand permissions as you see a need for that.
Once the role is properly configured in your AWS account you can attach the account from the Microtica portal and start deploying infrastructure in the cloud. Go to Project Settings and choose the Integrations tab. Under there select Cloud Accounts > Connect AWS.
Enter the necessary credentials to connect your AWS account:
Now, you are ready to automate and deploy your infrastructure on AWS.
To completely revoke Microtica access to your AWS account you just need to remove the previously created cross-account role. After that, Microtica will no longer have access to your cloud account.
