- 12 Nov 2023
- 3 Minutes to read
Amazon Web Services
- Updated on 12 Nov 2023
- 3 Minutes to read
The AWS integration uses an AWS IAM role that you define in your AWS IAM configuration to take actions in Torq as an approved user for the assets and APIs provided by the Amazon Web Services platform. AWS integrations are used for AWS and AWS S3 steps in Torq workflows.
Get IDs in Torq
In order to create an IAM role in AWS, you'll need the Torq Account ID and the AWS External ID, which you'll copy from the AWS integration card in Torq. At this point you're only copying those IDs, you're not creating the AWS integration in Torq.
- Go to the Integrations page and locate the AWS card.
- Click Add.
- Copy the Torq Account ID. You'll need this when you create the IAM role in AWS.
- Copy the AWS External ID. You'll need this when you create the IAM role in AWS.
Create an IAM role in AWS
There are two ways to create an IAM role in AWS, manually (following the steps below) or using a CloudFormation Template (CFT).
- Sign in to the AWS Management Console and access IAM.
- Select Roles > Create role.
- Define the new role.
- Under Select type of trusted entity, select Another AWS account.
- In the Account ID field enter the Torq Account ID you copied in the previous step.
- Select the checkbox Required external ID.
- In the External ID field enter the AWS External ID you copied in the previous step.
- Click Next: Permissions.
- Create a policy (set of AWS permissions) to assign to the user, group, or role that will be able to use AWS services in Torq steps. You'll get an error if you don't assign sufficient permissions required to run a specific step.
- Click Next: Tags.
- Enter tags as needed and click Next: Review.
- Enter a meaningful name for the policy and click Create policy.
- The name must be unique in your AWS account.
- Policy names are case-insensitive.
- Policy names can't be changed after the policy is created.
- Go back to the previous tab for the Create role page and click the console's refresh button.
- Filter by the name of the policy you created, select the checkbox next to the policy, and click Next: Review.
- On the Create role - Review page enter a role name.
- Review the role details and click Create role.
- After you're redirected to the IAM > Roles console, enter the name of the role you created and then select the role.
- Copy the Role ARN. You'll need this when you create the AWS integration in Torq.
Create an IAM role in AWS using a CFT
The role name is required for creating an AWS integration in Torq. The CloudFormation Template contains all necessary configurations. You'll have two browser tabs open during this process, one for Torq and one for AWS.
- Log in to your AWS account.
- Go to CloudFormation > Stacks and create a new stack.
- In the Prerequisite - Prepare template section, select the Template is ready checkbox.
- In the Specify template section, select the Upload a template file checkbox.
- Click Next.
- Enter a meaningful name for the stack.
- In a new browser tab, log in to Torq.
- Go to the Integrations page, search for AWS, and click Add. Keep this tab open. You'll be copying and pasting between the two.
- Copy the Torq Workspace ID and paste it in the TorqWorkspaceID field in AWS.
- Copy the AWS External ID and paste this in the AWSExternalID field in AWS.
- In AWS, for the Permission Type field select EC2
- Click Next until you reach the final page.
- Select the acknowledgment checkbox in the Capabilities section (shaded blue) and click Submit.
- Filter the stacks table by the status In progress. You should be able to see stack creation status.
- Refresh the Events table until the stack's status is CREATE_COMPLETE.
- Go to the Outputs tab and copy the RoleArn value. It will follow this pattern: arn:aws:iam::<number>:role/<stackname>.
- In Torq, paste the RoleArn value in the AWS Role Name field and click Add
Create an AWS integration in Torq
- Go to the Integrations page, locate the AWS card, and click Add.
- Enter a meaningful name for the integration so you'll be able to identify it when calling it in a workflow.
- Enter the AWS Role ARN that you copied in the previous step. It should look like this: arn:aws:iam::123456789012:role/service-role/PerformMitigationOperations