Connect to AWS

How it works

For organizations that connected their AWS account - the execution environment (i.e. the Teammate) will get temporary AWS credentials from Kubiya automatically, allowing the agent to use AWS libraries or the AWS CLI with the defined role

Definitions

These are terms you will come across in Kubiya when integrating with AWS. Here's what they mean:

1. Role - AWS term referring to a set of policies to be granted to an entity.

2. AWS Integration - A collective entity representing one or more AWS roles. In other words, it's an entity that creates a grouping of one or more AWS roles, so that you can easily provide agents access to multiple AWS roles without having to specify each individual role every time.

3. Default role – Because an AWS integration can be a collection of more than 1 role, the agent needs to know which role to use by default if one hasn't been specified in the instructions it was given. Within each integration, you can choose one default role.

4. Providing integration access to an agent - An agent is your virtual teammate that will be using your org's AWS accounts to perform its AWS-related tasks. You control the AWS integrations (i.e. collections of AWS roles) your agent has access to. To jump ahead to this step, go here.

Steps

1. Decide whether to give role-assumption permission to Kubiya (recommended) or to your cluster

2. Configure role-assumption in AWS (must do once for each role)

3. Add roles to Kubiya platform

4. Validate (recommended)

5. Select roles, default role, and finish

You can perform steps 3 & 4 via Terraform. Check out our Terraform Provider docs to see how.

Step 1: Decide whether to give role-assumption permission to Kubiya or to your cluster

Kubiya offers 2 options for role-assumption:

Give Kubiya permission to assume role (Recommended)

Advantages:

• Simpler

• Secure

• Kubiya can validate role details

• Kubiya confirm role-assumption is working

Give your cluster (or an entity within it, e.g. namespace) permission to assume role

Advantage:

• Enables AWS integration for companies that need to manage role-assumption using their own cluster

Disadvantages:

• Kubiya cannot validate role details nor that role-assumption is working

• Requires setting up an EKS service account connected to your cluster

The instructions for configuring role-assumption in AWS differ depending on which approach you choose.

Step 2: Configure role-assumption in AWS (must do once for each role)

1. Login to your AWS console and navigate to the Identity and Access Management (IAM) page.

2. Click on the Roles section

The following differs depending on what you chose in Step 1 (i.e. whether to give permission to Kubiya vs. to your cluster).

Giving Kubiya permission to assume role (Recommended)

To start, there needs to be a role for Kubiya to assume. Your options:

1. Create a new role for Kubiya

2. Give Kubiya permission to assume an existing role

If creating a new role for Kubiya:

Click Create Role button in the top right corner

On the next screen, here's the info to fill out:

1. For "Trusted entity type" select "AWS Account"

2. Make sure "Another AWS account" is selected

3. Add Kubiya's Account ID: 564407622114

4. Do not check the boxes "Require external ID" or "Require MFA"

5. Click Next

Add permissions (Important: make sure to include all permissions your virtual teammate needs in order to do its work)

Give it a name & description. Then review and click Create Role.

If giving Kubiya permission to assume an existing role:

1. Go to the role > Trust relationships > Edit trust policy

2. Add "AWS" : "arn:aws:iam::564407622114:root"

3. Click Update Policy

Giving your cluster (or an entity within it) permission to assume role

1. Assign an AWS role to a service account (Important: make sure role includes all permissions your virtual teammate needs in order to do its work)

2. Connect the service account to your cluster, using IAM roles for EKS Service Account.

Step 3: Add roles to Kubiya Platform

When adding the roles to the Kubiya platform, you can:

1. Add roles to a new AWS Integration in Kubiya

2. Add roles to an existing AWS Integration in Kubiya

If adding roles to a new AWS integration

Create the AWS Integration in Kubiya

Go to Kubiya Web App > Integrations

Click the "New Integration" button on the top right

Find AWS and click Add

Give your AWS Integration a name & description that will help you easily identify and remember what it is. For example, refer to which AWS roles it contains or to which types of agents you'll want to use it.

Indicate whether you are giving role-assumption permissions to Kubiya or to your cluster (must align with what you decided in Step 1 and configured in Step 2)

Add AWS role details

In the AWS Roles dropdown, click Add Role

Add the following details for the role:

• A name of your choosing (it doesn't have to correlate to the role name in AWS)

• The role's full ARN

• The AWS region

To add more roles, click Add Role. You can add as many as you'd like.

Important: for each role, permission to assume it must have been granted in AWS. If you're not sure, see Step 2 above ("Step 2: Configure role-assumption in AWS")

If adding to an existing AWS Integration

Go to Kubiya Web App > Integrations

In the AWS Roles dropdown, click Add Role

To add more roles, click Add Role and add the following details:

• A name of your choosing (it doesn't have to correlate to the role name in AWS)

• The role's full ARN

• The AWS region

You can add as many roles as you'd like.

Step 4: Validate roles (only available if giving permission to Kubiya)

After adding role details, you will be prompted to click the Validate button. Upon clicking it, the system will check that it's able to assume each role provided. If successful, you'll get a success message.

If some roles cannot be assumed, you will be shown which ones. In that case, check the details both in Kubiya and in AWS.

If you're giving role-assumption permissions to your cluster rather than to Kubiya, you will not be shown a validate button and Kubiya will not be able to validate that role-assumption is working.

Step 5: Select roles, default role, and finish

After adding the roles to the integration, select which roles you want to actively be a part of the AWS integration.

Among them, you will need to select a default role, which is the role your virtual teammate will use by default if one hasn't been specified in the instructions it was given. You can select only one default role.

When finished selecting roles and the default role, click Create Integration or Update Integration.

You're done! Connecting this integration to your agent is quick and easy. Click here to see how.

Editing or removing a role

Go to Kubiya Web App > Integrations

2. Update the information of the role or delete the role.

3. Click Validate (only relevant if giving Kubiya permission to assume role). Kubiya will re-validate all roles listed.

4. If successful, click Update Integration. If you get an error message, check the details of the roles marked in red both in Kubiya and in AWS.

Note: if you'd like to remove a role temporarily, you can simply de-select it from the AWS Roles dropdown rather than deleting it altogether.