Configure AWS access using IAM role for EC2

This method allows you to create an IAM role for C8 and assume it from another role.

Step 1: Create IAM Role for EC2

Please refer to the official AWS documentation about creating an AWS IAM role for the EC2

Step 2: Create IAM Role to assume by EC2 instance role.

Step 2.1: Download IAM Policy

Download the IAM policy that grants read permissions to all AWS resources:

curl -o sh-c8-discovery-policy.json https://configure8-resources.s3.us-east-2.amazonaws.com/iam/sh-c8-discovery-policy.json

Step 2.2: Create IAM Policy

Create the IAM policy:

aws iam create-policy --policy-name sh-c8-discovery-policy --policy-document file://sh-c8-discovery-policy.json

Step 2.3: Create IAM Role

Create an IAM role that can be assumed by EC2 roles:

Name
Description

$account_id

The AWS account id from which you want to allow run discovery

$ec2_role

The AWS role name from which you want to allow run discovery

# Generate a JSON file for the trust relationship
cat >trust-relationship.json <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${account_id}:role/${ec2_role}"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
EOF

Create an IAM role with a defined trust relationship and description

aws iam create-role --role-name sh-c8-discovery --assume-role-policy-document file://trust-relationship.json --description "sh-c8-discovery"

Attach the sh-c8-discovery-policy policy to the sh-c8-discovery role

aws iam attach-role-policy --role-name sh-c8-discovery --policy-arn=arn:aws:iam::${account_id}:policy/sh-c8-discovery-policy

Note If you want to discover more AWS accounts, please repeat the 2nd step for each account.

PreviousConfigure AWS access for the discovery job using service account (AWS EKS)NextConfigure AWS access using access keys for IAM users

Last updated

Copyright © 2023 configure8, Inc. All rights reserved.