AWS IAM Integration
This guide will show you how to setup an integration between Indent and AWS IAM. Once complete, you'll be able to grant access and create policies based on your existing AWS IAM Groups.
Components
This page assumes you completed the Indent Quickstart. (5 min setup)
Configuration
This guide uses GitHub Actions and Terraform to deploy an Indent + AWS IAM integration. S3 will be used to store Terraform state, and AWS Lambda will run the webhook.
1. Cloning the repo
- Click on the Use This Template button to clone the repo
- In your new repo go to Settings → Secrets → Actions
- Leave this tab open for adding secrets from the next steps
2. Configuring the S3 bucket
- Go to AWS S3 and select an existing bucket or create a new one
- Most of the default settings are good, but some recommended values are:
- Name — easily identifiable name for the bucket, such as
indent-deploy-state-123 - Region — where you plan to deploy the Lambda, like
us-west-2 - Bucket versioning — if you want to have revisions of past deployments, otherwise pick
disabled - Default encryption —
enablefor server-side encryption for deployment files
- Name — easily identifiable name for the bucket, such as
- This integration currently assumes your region is
us-west-2, and you want S3 encryption turned on. If you choose other settings, update yourmain.tfvalues accordingly.
- Most of the default settings are good, but some recommended values are:
- In a new tab open
main.tffrom your GitHub repo, and change the empty value forbackendto the name of your bucketnoteIn
main.tf, only update the empty bucket value in the Terraform block.
3. Configuring AWS credentials
- Go to AWS IAM → Add Users and create a new user for deploys, such as
indent-terraform-deployer - Configure the service account's access:
- Credential type — select Access key - Programmatic access
- Permissions — click Attach existing policies directly and select
AdministratorAccess - Follow the prompts until the account is created
- Add the resulting values as
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYto GitHub Secrets
4. Deploying
- On your Indent dashboard go to Integrations → Catalog → AWS IAM OR follow this link
- Copy the webhook secret, and in a new tab add it to your GitHub Secrets as
INDENT_WEBHOOK_SECRET - Leave this AWS IAM integrations page open for the next step
- Copy the webhook secret, and in a new tab add it to your GitHub Secrets as
- From your repo navigate to GitHub Actions → The latest job → deploy.webhook, and follow the prompts to run the workflow
- Click the new deploy.webhook, and copy the URL printed in the Terraform Output section
- On your Indent + AWS IAM integrations page, paste and save the URL you just copied
5. Granting AWS IAM access
- Go to AWS IAM → Roles and find the IAM role for the lambda created during deploy
- Grant the IAM role created for the lambda the necessary roles to manage access (e.g. CreateUser, AddUserToGroup) or full IAM management access
Using Indent + AWS IAM Groups
Congrats! Your AWS IAM integration is ready. You can test that everything is set correctly by navigating to your Integrations page, and clicking Pull from Integrations. On a successful pull, you will see new AWS IAM Groups appear in your Resources list.
Now it's time to use Indent for requesting membership to an AWS IAM group.
- Try visiting the request page on the Indent dashboard, or created a request in Slack
- If you have the Slack integration setup, you can type
/accessor click the lightning bolt to submit a request
- If you have the Slack integration setup, you can type
- On your Petitions page you should be able to see your request as part of a petition. Try clicking the petition to view more details.
- From the petition details page, click the Review Petition button and follow the prompts
Once approved, you should be able to visit your AWS IAM dashboard, and see yourself as a member of the AWS IAM group you requested.
Summary
You added an Indent + AWS IAM Groups integration. You're now able to approve secure, temporary access to AWS IAM Groups.
Try adding an Indent + Tailscale, for secure on-demand production access.
Questions
Where do I view the code I'm deploying?
Where can I find a list of all of the secrets?
| Name | Description |
|---|---|
| INDENT_WEBHOOK_SECRET | Get this from the Indent Webhook you created while setting up your space |
| AWS_REGION | The AWS Region where you want to deploy the webhooks |
| AWS_ACCESS_KEY_ID | Your Programmatic AWS Access Key ID |
| AWS_SECRET_ACCESS_KEY | Your Programmatic AWS Secret Access Key |
| AWS_SESSION_TOKEN | Optional: Your AWS Session Token. Note: If you use an AWS Session ID you will need to update it for each deployment once the session expires |
How do I redeploy the webhook?
The repo you created from a template auto-deploys to AWS when you push or merge PRs to the main branch. You can manually redeploy the webhooks by re-running the latest GitHub Action job.
How do I ask for help?
If you have questions or need help with your integration, try chatting with Indent Support.