Documentation

AWS (Legacy)

Connect your AWS infrastructure to use Opal to manage and review access.

Suggest Edits

Opal's AWS integration lets you manage access to the following services:

  • IAM Roles: Grant temporary and audited access to any AWS IAM role.
  • EC2 (Elastic Compute Cloud): Grant temporary and audited ssh sessions to any EC2 instance.
  • RDS (Relational Database Service): Grant temporary and audited database access to Postrges and MySQL databases on RDS.
  • EKS (Elastic Kubernetes Service): Grant temporary and audited access to any Kubernetes role on EKS.

You can connect your AWS accounts to Opal with your desired permission scopes in a few simple steps.

Getting Started

To get started, go to the Catalog page, and at the top right, and click + App. Then, click on the Amazon Web Services tile.

2312

You will see a form to be completed. Opal requires the below setup in order to manage access to your AWS accounts.

Step 1 - Create an IAM User for Opal

In order for Opal to manage AWS on your behalf, we'll need an IAM user with proper permission scopes.

Opal requires fairly sensitive permissions in order to manage access to your environments. We want to give you full transparency into how our systems operate, and you can use either of the two identical methods below to scope your IAM user.

Using Opal's CloudFormation template

You can use the following AWS CloudFormation stack to make an IAM user with the permissions needed for all our features:

https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=opalIAMUserCreator&templateURL=https://opal-cloudformation-public.s3.us-east-2.amazonaws.com/opalawsiamuser.template

Manually scoping Opal permissions

If you'd like to manually scope down Opal's permissions, here's the policies we need to support certain functions so you can mix and match.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                // Required for all use-cases
                "sts:TagSession", 
                "sts:GetFederationToken",
                
                // Required for IAM roles support
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:PutRolePolicy",
              	"iam:DeleteRolePolicy",

              	// Required for AWS role creation
                "access-analyzer:ValidatePolicy",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:TagRole",
                "iam:AttachRolePolicy",
                "iam:GetPolicy",
              
                // Required for SSH access to EC2 instances
                "ec2:DescribeInstances",  
                "ssm:DescribeInstanceProperties",
                "ssm:GetConnectionStatus",
                "ssm:TerminateSession",
                "ssm:StartSession",
                "ssm:DescribeSessions",
                "ssm:SendCommand",
              
                // Required for revoking SSH and RDS user sessions
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:PutUserPolicy",
                "iam:DeleteUserPolicy",

                // Required for RDS support
                "rds:DescribeDBInstances",
                "rds:DescribeDBClusters",
                "rds-db:connect",  

                // Required for EKS support
                "sts:AssumeRole",              
                "eks:DescribeCluster",
                "eks:ListClusters",
                "iam:ListRoleTags",
                "iam:ListRoles"
            ],
            "Resource": "*"
        }
    ]
}

Step 2 - Fill out Opal form

Back in the Create App form, fill in details about your newly-created AWS IAM user.

Updated 26 days ago