Connect to AWS
Connect 1 or more AWS roles to the Kubiya platform, then later connect them to specific AI Agents.
How it works
For organizations that connected their AWS account - the execution environment (i.e. the Teammate) will get temporary AWS credentials from Kubiya automatically, allowing the agent to use AWS libraries or the AWS CLI with the defined role
Definitions
These are terms you will come across in Kubiya when integrating with AWS. Here's what they mean:
Role - AWS term referring to a set of policies to be granted to an entity.
AWS Integration - A collective entity representing one or more AWS roles. In other words, it's an entity that creates a grouping of one or more AWS roles, so that you can easily provide agents access to multiple AWS roles without having to specify each individual role every time.
Default role – Because an AWS integration can be a collection of more than 1 role, the agent needs to know which role to use by default if one hasn't been specified in the instructions it was given. Within each integration, you can choose one default role.
Providing integration access to an agent - An agent is your virtual teammate that will be using your org's AWS accounts to perform its AWS-related tasks. You control the AWS integrations (i.e. collections of AWS roles) your agent has access to. To jump ahead to this step, go here.
Steps
Decide whether to give role-assumption permission to Kubiya (recommended) or to your cluster
Configure role-assumption in AWS (must do once for each role)
Add roles to Kubiya platform
Validate (recommended)
Select roles, default role, and finish
You can perform steps 3 & 4 via Terraform. Check out our Terraform Provider docs to see how.
Step 1: Decide whether to give role-assumption permission to Kubiya or to your cluster
Kubiya offers 2 options for role-assumption:
Give Kubiya permission to assume role (Recommended)
Advantages:
Simpler
Secure
Kubiya can validate role details
Kubiya confirm role-assumption is working
Give your cluster (or an entity within it, e.g. namespace) permission to assume role
Advantage:
Enables AWS integration for companies that need to manage role-assumption using their own cluster
Disadvantages:
Kubiya cannot validate role details nor that role-assumption is working
Requires setting up an EKS service account connected to your cluster
The instructions for configuring role-assumption in AWS differ depending on which approach you choose.
Step 2: Configure role-assumption in AWS (must do once for each role)
Login to your AWS console and navigate to the Identity and Access Management (IAM) page.
Click on the Roles section
The following differs depending on what you chose in Step 1 (i.e. whether to give permission to Kubiya vs. to your cluster).
Giving Kubiya permission to assume role (Recommended)
To start, there needs to be a role for Kubiya to assume. Your options:
Create a new role for Kubiya
Give Kubiya permission to assume an existing role
If creating a new role for Kubiya:
Click Create Role button in the top right corner
On the next screen, here's the info to fill out:
For "Trusted entity type" select "AWS Account"
Make sure "Another AWS account" is selected
Add Kubiya's Account ID:
564407622114
Do not check the boxes "Require external ID" or "Require MFA"
Click Next
Add permissions (Important: make sure to include all permissions your virtual teammate needs in order to do its work)
Give it a name & description. Then review and click Create Role.
If giving Kubiya permission to assume an existing role:
Go to the role > Trust relationships > Edit trust policy
Add
"AWS" : "arn:aws:iam::564407622114:root"
Click Update Policy
Giving your cluster (or an entity within it) permission to assume role
Assign an AWS role to a service account (Important: make sure role includes all permissions your virtual teammate needs in order to do its work)
Connect the service account to your cluster, using IAM roles for EKS Service Account.
Step 3: Add roles to Kubiya Platform
When adding the roles to the Kubiya platform, you can:
Add roles to a new AWS Integration in Kubiya
Add roles to an existing AWS Integration in Kubiya
If adding roles to a new AWS integration
Create the AWS Integration in Kubiya
Go to Kubiya Web App > Integrations
Click the "New Integration" button on the top right
Find AWS and click Add
Give your AWS Integration a name & description that will help you easily identify and remember what it is. For example, refer to which AWS roles it contains or to which types of agents you'll want to use it.
Indicate whether you are giving role-assumption permissions to Kubiya or to your cluster (must align with what you decided in Step 1 and configured in Step 2)
Add AWS role details
In the AWS Roles dropdown, click Add Role
Add the following details for the role:
A name of your choosing (it doesn't have to correlate to the role name in AWS)
The role's full ARN
The AWS region
To add more roles, click Add Role. You can add as many as you'd like.
Important: for each role, permission to assume it must have been granted in AWS. If you're not sure, see Step 2 above ("Step 2: Configure role-assumption in AWS")
If adding to an existing AWS Integration
Go to Kubiya Web App > Integrations
In the AWS Roles dropdown, click Add Role
To add more roles, click Add Role and add the following details:
A name of your choosing (it doesn't have to correlate to the role name in AWS)
The role's full ARN
The AWS region
You can add as many roles as you'd like.
Step 4: Validate roles (only available if giving permission to Kubiya)
After adding role details, you will be prompted to click the Validate button. Upon clicking it, the system will check that it's able to assume each role provided. If successful, you'll get a success message.
If some roles cannot be assumed, you will be shown which ones. In that case, check the details both in Kubiya and in AWS.
If you're giving role-assumption permissions to your cluster rather than to Kubiya, you will not be shown a validate button and Kubiya will not be able to validate that role-assumption is working.
Step 5: Select roles, default role, and finish
After adding the roles to the integration, select which roles you want to actively be a part of the AWS integration.
Among them, you will need to select a default role, which is the role your virtual teammate will use by default if one hasn't been specified in the instructions it was given. You can select only one default role.
When finished selecting roles and the default role, click Create Integration or Update Integration.
You're done! Connecting this integration to your agent is quick and easy. Click here to see how.
Editing or removing a role
Go to Kubiya Web App > Integrations
Update the information of the role or delete the role.
Click Validate (only relevant if giving Kubiya permission to assume role). Kubiya will re-validate all roles listed.
If successful, click Update Integration. If you get an error message, check the details of the roles marked in red both in Kubiya and in AWS.
Note: if you'd like to remove a role temporarily, you can simply de-select it from the AWS Roles dropdown rather than deleting it altogether.
Last updated