AWS IAM role for CodeCommit

To allow Fluid Attacks to access your CodeCommit repositories, you must create an IAM role that grants cross-account access.

The process involves three steps:

1. Obtain the external ID that Fluid Attacks generates for your organization. To do this, access the platform , navigate to Credentials > Add credentials > Add manually and choose AWS Role as credentials type.
2. Create the IAM role using that external ID as a shared secret to verify that role assumption requests originate from Fluid Attacks.
3. Provide the role’s Amazon Resource Name (ARN) in the Fluid Attacks platform.

You can set up the role using either of the following methods:

1. Manually through the AWS Management Console 
2. Programmatically using AWS CloudFormation templates 

Manual configuration from AWS Management Console

Follow these steps to create the required role through the AWS user interface:

1. Sign in to the AWS Management Console using an account with permissions to create IAM roles and attach policies.
2. Use the search bar to locate the IAM service and select it.

1. In the IAM Dashboard, select Roles from the left sidebar menu.

1. Click the Create role button.

1. In the Trusted entity type section, select Custom trust policy.

1. In the code editor that appears below, paste the following JSON policy:

{  "Version": "2012-10-17",  "Statement": [    {      "Sid": "FluidAttacksAccess",      "Effect": "Allow",      "Principal": {        "AWS": "*"      },      "Action": "sts:AssumeRole",      "Condition": {        "ArnEquals": {          "aws:PrincipalArn": "arn:aws:iam::205810638802:role/prod_integrates"        },        "StringEquals": {          "sts:ExternalId": "<YOUR-EXTERNAL-ID>"        }      }    }  ]}

Replace <YOUR-EXTERNAL-ID> with the external ID  that Fluid Attacks generated for your organization.

Trust policy breakdownThe trust policy above contains four key elements:

1. Principal ( "AWS": "*" )**:** Although this field allows any AWS account to assume the role, the conditions below restrict actual access.
2. Action ( sts:AssumeRole )**:** This action permits external entities to assume the role.
3. Condition ( aws:PrincipalArn )**:** This condition restricts role assumption exclusively to Fluid Attacks’ production role (arn:aws:iam::205810638802:role/prod_integrates).
4. Condition ( sts:ExternalId )**:** This shared secret between Fluid Attacks and your organization verifies that assumption requests genuinely originate from Fluid Attacks, preventing unauthorized access.

Assign permissions to the role27. Click Next to proceed to the permissions configuration. You may select the ReadOnlyAccess permission, but Step 8 shows you a recommended user-managed policy used to clone CodeCommit repositories.

1. Create or attach a policy that grants access to your CodeCommit repositories. To follow the principle of least privilege, this is the policy Fluid Attacks recommends:

{  "Version": "2012-10-17",  "Statement": [    {      "Sid": "CodeCommitAccess",      "Effect": "Allow",      "Action": ["codecommit:Get*", "codecommit:GitPull"],      "Resource": ["<REPO-ARN>"]    }  ]}

Replace <REPO-ARN> with the actual ARN of your repository. To grant access to multiple repositories, add their ARNs to the Resource array.

1. Click Next to review your role configuration.
2. Provide a name for the role (e.g., FluidAttacksCodeCommit) and add a description.

1. Click Create role to finish the setup.
2. Locate your new role in the IAM roles list and click on it to view its details.
3. Copy the ARN (Amazon Resource Name) displayed at the top of the role summary. You need this value to complete the configuration  in the Fluid Attacks platform.

Use AWS CloudFormation templates

You can automate the role creation process using AWS CloudFormation. This method is ideal for infrastructure-as-code workflows and multi-account deployments.

First, create the template, then, deploy it using either of the following options:

1. AWS CLI 
2. AWS Management Console 

Create the CloudFormation template

1. Create a new file with a .yaml extension.
2. Copy the following CloudFormation template into the file:

Resources:  CodeCommitAccessRole:    Type: AWS::IAM::Role    Properties:      AssumeRolePolicyDocument:        Version: "2012-10-17"        Statement:          - Effect: Allow            Action:              - "sts:AssumeRole"            Principal:              AWS:                - "*"            Condition:              ArnEquals:                aws:PrincipalArn: "arn:aws:iam::205810638802:role/prod_integrates"              StringEquals:                sts:ExternalId: "<YOUR-EXTERNAL-ID>"      Description: Role to grant Fluid Attacks access to CodeCommit repositories      ManagedPolicyArns:        - arn:aws:iam::aws:policy/AWSCodeCommitReadOnly      RoleName: FluidAttacksCodeCommit

1. Replace <YOUR-EXTERNAL-ID> with the external ID  that Fluid Attacks generated for your organization.
2. Save the file.

Deploy using the AWS CLI

1. Install the AWS CLI  if you have not already done so.
2. Configure your security credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) for a user with permissions to create CloudFormation stacks and IAM resources.
3. Run the following command to deploy the stack:

aws cloudformation deploy --template-file <path/to/template.yaml> \  --stack-name <stack-name> \  --capabilities CAPABILITY_NAMED_IAM

Replace <path/to/template.yaml> with the path to your template file and <stack-name> with a descriptive name (e.g., fluid-attacks-codecommit).

1. After the deployment completes, retrieve the role ARN by running this:

aws iam get-role --role-name "FluidAttacksCodeCommit"

The command returns a JSON response containing the role details, including the ARN.

Deploy using the AWS Management Console

1. Sign in to the AWS Management Console using an account with permissions to perform read and write operations for CloudFormation and IAM resources.
2. Use the search bar to locate the CloudFormation service and select it.

1. In the CloudFormation Dashboard, click the Create stack dropdown and select With new resources (standard).

1. Under Prerequisite - Prepare template, select Template is ready and, under Specify template, select Upload a template file, then click Choose file and select the template you created.

1. Click Next to proceed.
2. Enter a name for the stack and click Next.

1. On the Configure stack options page, you can leave the default settings. Click Next.
2. On the review page, scroll to the Capabilities section at the bottom and check the box acknowledging that CloudFormation may create IAM resources with custom names.

1. Click Submit to begin the deployment and wait for the stack status to show ‘CREATE_COMPLETE’.
2. Navigate to the Resources tab and click the Physical ID link for the role resource. This redirects you to the IAM Dashboard.
3. Copy the ARN from the role summary to use in the Fluid Attacks platform.

Troubleshooting

If you encounter issues when adding your AWS environment to the Fluid Attacks platform, verify the following:

1. Role permissions: Confirm that the role has the AWSCodeCommitReadOnly managed policy attached, or that your custom policy includes the codecommit:Get* and codecommit:GitPull actions for the target repositories.
2. External ID: Ensure that the external ID in your role’s trust policy matches the external ID assigned to your organization by Fluid Attacks. A mismatch will cause role assumption to fail.
3. Repositories encrypted with custom AWS KMS Customer Managed Keys (CMK) may fail to clone with authentication errors(403). This occurs because custom KMS keys require explicit decrypt permissions that must be configured for both the CodeCommit service and individual users attempting to clone the repository, solutions:
4. Switch to AWS Managed Keys: Change your repository encryption settings to use the default AWS managed key (aws/codecommit). This automatically handles all necessary permissions.
5. If using custom CMK: Ensure your KMS key policy grants decrypt permissions to CodeCommit and IAM users have kms:Decrypt on the key. See AWS KMS Key Policies.