AWS

Overview

AWS API calls are notoriously hard to read, understand and use. Our goal is to help users connect individual API calls as a node in Fylamynt workflows.

Use Cases

The integration between Fylamynt and AWS lets you:

• Use any AWS services through a drop-down list

• Use all available operations against the selected service

Configure AWS in Fylamynt

• Navigate to Settings > Cloud Services > AWS

• Under AWS Target Accounts, click "Add New" to configure Fylamynt integration with your AWS account.

There are two steps needed to integrate Fylamynt with your AWS account.

1. In your AWS account, create an IAM role that allows Fylamynt to assume a role.

2. In Fylamynt, provide the ARN to that IAM role and give it a name.

Create AWS IAM Role with Assume Role

We will cover three possible ways to create an AWS IAM role with assume role permissions. Fylamynt provides two scrips, one for Terraform and one for Python, to create the role. It's also possible to use the AWS console directly to create the role. You only need to use one of these options, or, if you're comfortable with some other tool (AWS CLI, for example) feel free to use that.

Both the Terraform template and the python script require you to have an AWS access key and AWS access secret for your AWS account.

Option 1: Terraform template.

If you are already using Terraform to provision your AWS account, this convenience script will help create a role with the correct permissions to allow Fylamynt to invoke AWS actions inside your account on your behalf.

Option 2: Python script.

• Install prerequisites

  The Python script assumes you have a working AWS account and have set up an access key.

Install Boto3 The boto3 python package provides programmatic access to the AWS API. https://boto3.amazonaws.com/v1/documentation/api/latest/index.html

In a shell, use pip to install boto3:

# pip3 install boto3

• Download the Fylamynt python script zip file.

• Extract the zip file.

• Change into the extracted directory

  Copy

  cd fylamynt-aws-integration

• Edit a policy document.

  • There are two policy JSON documents provided in the zip file. "custom_policy.json" provides full access to several services AWS account, and read_only_policy.json gives read-only access to a set of services. Feel free to edit those as you see fit.

• Execute the script

  • You will need:

    • Fylamynt Account ID (from the right side of the setup page).

    • Fylamynt External ID (from the right side of the setup page).

    • AWS Account Key (from your AWS account)

    • AWS Account Secret (from your AWS account)

    • The policy JSON file you'd like to use.

  Copy

  python3 ./fylamynt_iam_role.py --accid FYLAMYNT_ACCOUNT_ID --extid FYLAMYNT_EXTERNAL_ID --accesskey AWS_ACCOUNT_KEY --secretkey AWS_ACCOUNT_SECRET --policyjson POLICY_JSON

If it ran correctly, execution should look like this:

[14:29:36] INFO [utils.<module>:209] Creating IAM Role: Fylamynt_AWSIntegrationRole
[14:29:37] INFO [utils.<module>:216] Fylamynt IAM Policy has been created
[14:29:37] INFO [utils.<module>:220] Creating IAM Role: Fylamynt_AWSIntegrationRole
[14:29:37] INFO [utils.<module>:227] Fylamynt IAM Role has been created
[14:29:37] INFO [utils.attach_policy_to_role:191] Attached IAM Policy 'Fylamynt_AWSIntegrationPolicy' to IAM Role 'Fylamynt_AWSIntegrationRole' successfully
[14:29:37] INFO [utils.<module>:231] Fylamynt IAM Role, Policy has been created

Add IAM role ARN to Fylamynt 'get-started' page to complete AWS integration: arn:aws:iam::XXXXXXXXXXX:role/Fylamynt_AWSIntegrationRole

Option 3: AWS Console.

Manually Create AWS AssumeRole

1. Go to the IAM console for your AWS target account.

2. Select Create role

3. Select Another AWS account for the Role Type.

4. For Account ID, copy-paste Your Fylamynt Account ID from the right panel. This is the AWS account ID that hosts the Fylamynt application, and you are granting that account access to your AWS target account.

5. Check off Require external ID and copy-paste the “External ID” from the right panel. Make sure you leave Require MFA disabled. For more information about the External ID, check out this document in the IAM User Guide.

6. Click Next: Permissions.

7. If you already have a policy, select it. Otherwise, the Fylamynt team can help you create a policy that suits your needs. For non-critical test accounts, you can choose the PowerUserAccess managed policy. This will unlock the full functionality of the Fylamynt platform.

   Attach Permission Policies

8. Select the appropriate tags and proceed.

   Add Tags

9. Name the role and add a description that denotes that this role is for Fylamynt access. Click Create Role. Copy-paste the ARN for the created role from the AWS IAM console into the AssumeRole ARN field in the right panel on this Fylamynt page.

   Right Panel

10. Enter a friendly name, or alias, for this AWS target account into the Account Alias field in the right panel on this page. An alias may contain any alphabets and dashes. You select a target environment that your Fylamynt workflow runs against by picking one of your target accounts as runtime input.

11. Enter the AWS region name where your Fylamynt workflows will run against.

12. Click Add Target Account. You are now able to use Fylamynt with this account!

Option 4: AWS Cloudformation template

Steps provide here

Integration Actions

AWS Execution Action

The AWS Execution Action allows you to call any AWS API endpoint supported by the boto3 library. See boto3 documentation here: https://boto3.amazonaws.com/v1/documentation/api/latest/index.html

Input

After you select a service (e.g. EC2, S3, IAM) and an operation (e.g. 'DescribeInstances', 'CreateBucket'), a further list of parameters for that call will appear on the right sidebar. These will be specific to the call you're making.

Output

The Specific output of the AWS Execution Action depends on the Service and Operation selected above.

The 'output' tab on the right panel will show a preview of the JSON output of the given operation.

Action Example

A step-by-step configuration is available on the Creating your first workflow using AWS Cloud Services page