Skip to main content

AWS IAM + Indent Webhook

This guide will show you how to setup an integration between Indent and AWS IAM. Once complete, you'll be able to grant access and create policies based on your existing AWS IAM Groups.

Components

note

This page assumes you completed the Indent Quickstart. (5 min setup)

Configuration

This guide uses GitHub Actions and Terraform to deploy an Indent + AWS IAM integration. S3 will be used to store Terraform state, and AWS Lambda will run the webhook.

1. Cloning the repo

  • Click on the Use This Template button to clone the repo
  • In your new repo go to Settings → Secrets → Actions
  • Leave this tab open for adding secrets from the next steps

2. Configuring the S3 bucket

  • Go to AWS S3 and select an existing bucket or create a new one
    • Most of the default settings are good, but some recommended values are:
      • Name — easily identifiable name for the bucket, such as indent-deploy-state-123
      • Region — where you plan to deploy the Lambda, like us-west-2
      • Bucket versioning — if you want to have revisions of past deployments, otherwise pick disabled
      • Default encryption — enable for server-side encryption for deployment files
    • This integration currently assumes your region is us-west-2, and you want S3 encryption turned on. If you choose other settings, update your main.tf values accordingly.
  • In a new tab open main.tf from your GitHub repo, and change the empty value for backend to the name of your bucket
    note

    In main.tf, only update the empty bucket value in the Terraform block.

3. Configuring AWS credentials

  • Go to AWS IAM → Add Users and create a new user for deploys, such as indent-terraform-deployer
  • Configure the service account's access:
    • Credential type — select Access key - Programmatic access
    • Permissions — click Attach existing policies directly and select AdministratorAccess
    • Follow the prompts until the account is created
  • Add the resulting values as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to GitHub Secrets

4. Deploying

  • On your Indent dashboard go to Integrations → Catalog → AWS IAM OR follow this link
    • Copy the webhook secret, and in a new tab add it to your GitHub Secrets as INDENT_WEBHOOK_SECRET
    • Leave this AWS IAM integrations page open for the next step
  • From your repo navigate to GitHub Actions → The latest job → deploy.webhook, and follow the prompts to run the workflow
    • Click the new deploy.webhook, and copy the URL printed in the Terraform Output section
    • On your Indent + AWS IAM integrations page, paste and save the URL you just copied

5. Granting AWS IAM access

  • Go to AWS IAM → Users and find the IAM user for the lambda created during deploy
  • Grant the IAM user created for the lambda the necessary roles to manage access (e.g. CreateUser, AddUserToGroup) or full IAM management access

Using Indent + AWS IAM Groups

Congrats! Your AWS IAM integration is ready. You can test that everything is set correctly by navigating to your Integrations page, and clicking Pull from Integrations. On a successful pull, you will see new AWS IAM Groups appear in your Resources list.

Now it's time to use Indent for requesting membership to an AWS IAM group.

  1. Try visiting the request page on the Indent dashboard, or created a request in Slack
    • If you have the Slack integration setup, you can type /access or click the lightning bolt to submit a request
  2. On your Petitions page you should be able to see your request as part of a petition. Try clicking the petition to view more details.
    • From the petition details page, click the Review Petition button and follow the prompts

Once approved, you should be able to visit your AWS IAM dashboard, and see yourself as a member of the AWS IAM group you requested.

Summary

You added an Indent + AWS IAM Groups integration. You're now able to approve secure, temporary access to AWS IAM Groups.

Try adding an Indent + Tailscale, for secure on-demand production access.

Questions

Where do I view the code I'm deploying?
There are direct code examples in the **[Indent APIs GitHub](https://github.com/indentapis/template-aws-lambda-aws-iam)**. Take a look at the code that runs in these webhooks:
Where can I find a list of all of the secrets?
NameDescription
INDENT_WEBHOOK_SECRETGet this from the Indent Webhook you created while setting up your space
AWS_REGIONThe AWS Region where you want to deploy the webhooks
AWS_ACCESS_KEY_IDYour Programmatic AWS Access Key ID
AWS_SECRET_ACCESS_KEYYour Programmatic AWS Secret Access Key
AWS_SESSION_TOKENOptional: Your AWS Session Token.
Note: If you use an AWS Session ID you will need to update it for each deployment once the session expires
How do I redeploy the webhook?
The repo you created from a template auto-deploys to AWS when you push or merge PRs to the `main` branch. You can manually redeploy the webhooks by re-running the [latest GitHub Action job](https://docs.github.com/en/actions/managing-workflow-runs/re-running-workflows-and-jobs).
How do I ask for help?
If you have questions or need help with your integration, try chatting with [Indent Support](https://indent.com/support).