In the Plugin Management portal in WEBUI, we can install the plugin on the AWS instance and can authenticate with Access Key ID and secret Access key, as shown below. and showing credentials are Green.
But, while adding a single role or multiple roles (IAM roles), the credentials change from green to RED as shown below.
Could you please let us know the process for how we can make it green after adding multiple IAM roles there?
Since we have 1000+ AWS accounts, I am looking for a solution to add the IAM roles in cloud plugin mgmt.
If you are looking for hands-on help then you need to open support case. What I would advise you is that the role you need to define need to exist in every single AWS account and then your credential (access key/secret pair) need to have assume permission for every single role in each account, and you need to add the roles to the permission set. Also, think about what regions are allowed for each role and only define those as the discovery will try to scan through to assume each role and then scan through each region for each role, so the error you are seeing may come from all sort of permutation of account/role/region… As I said, if you want actuall drill down - open support case provide them logs from both the plugin server and AWS plugin (they may need debug level logging in you don’t have it), and that should give them the exact error/problem you are facing…
I wrote something a very long ago - please check if it does help you - On my situation, I had a customer with different accounts and I wanted to have one I AM user to access all of those accounts:
Create IAM User on a Specific Account with the following permissions:
MFA must NOT be enabled
Must have programmatic access type
Must have the following permissions at minimum: action “ec2:Describe*” allowed on resource “*”
A suitable predefined AWS policy is AmazonEC2ReadOnlyAccess
For example –
arn:aws:iam::account-id:user/bigFixUser
On All of the Accounts, Create Roles with the following Trust Policy – Please make sure to note the ARN of each Role, we will need them afterward
Access the IAM User (bigFixUser) , go to Permissions, and add a new Permission Policy , Make sure to add all of the Roles ARN into the Resource section
For Example:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“sts:AssumeRole”
],
“Resource”: [
“arn:aws:iam::account-id:role/awsbigfix”,
“arn:aws:iam::different-account-id:role/awsbigfix”
]
}
]
}
To test your access, follow the Switching to a role (console) instructions.
After you made sure that this IAM User is able to access all of the other Accounts, Please provide me all of the Roles ARN, and I will add them to the Cloud Plugin Configuration
