--- description: "Create an AWS IAM role to grant Fluid Attacks cross-account access to your CodeCommit repositories using the management console or CloudFormation." keywords: "AWS management console, IAM role, AWS integration, Fluid Attacks scanner, iam role, Cloudformation templates, Fluid Attacks documentation" other: private: false title: Set up an AWS IAM role --- # Set up an AWS IAM role import { Image } from "@/components/image"; To allow Fluid Attacks to access your CodeCommit repositories, you must create an IAM role that grants cross-account access. The process involves three steps: 1. Obtain the external ID that Fluid Attacks generates for your organization. To do this, [access the platform](http://app.fluidattacks.com), navigate to **Credentials** > **Add credentials** > **Add manually** and choose **AWS Role** as credentials type. 1. Create the IAM role using that external ID as a shared secret to verify that role assumption requests originate from Fluid Attacks. 1. Provide the role's Amazon Resource Name (ARN) in the Fluid Attacks platform. > [!TIP] > > If your organization manages multiple AWS accounts, you can create this role in as many accounts as needed. Simply provide the corresponding ARN when [adding credentials](https://help.fluidattacks.com/portal/en/kb/articles/manage-your-credentials#Add_credentials) in the platform. You can set up the role using either of the following methods: 1. [Manually through the AWS Management Console](https://help.fluidattacks.com/portal/en/kb/articles/set-up-an-aws-iam-role#Manual_configuration_from_AWS_Management_Console) 1. [Programmatically using AWS CloudFormation templates](https://help.fluidattacks.com/portal/en/kb/articles/set-up-an-aws-iam-role#Use_AWS_CloudFormation_templates) ## Manual configuration from AWS Management Console Follow these steps to create the required role through the AWS user interface: 1. Sign in to the AWS Management Console using an account with permissions to create IAM roles and attach policies. 1. Use the search bar to locate the IAM service and select it. Select IAM for integration with Fluid Attacks platform

Select IAM for integration with Fluid Attacks platform

1. In the IAM Dashboard, select **Roles** from the left sidebar menu. Go to Roles for integration with Fluid Attacks platform

1. Click the **Create role** button. Create IAM role for integration with Fluid Attacks platform

1. In the **Trusted entity type** section, select **Custom trust policy**. Set IAM Role policy for Fluid Attacks integration

1. In the code editor that appears below, paste the following JSON policy: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "FluidAttacksAccess", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "sts:AssumeRole", "Condition": { "ArnEquals": { "aws:PrincipalArn": "arn:aws:iam::205810638802:role/prod_integrates" }, "StringEquals": { "sts:ExternalId": "" } } } ]} ``` Replace `` with the [external ID](https://help.fluidattacks.com/portal/en/kb/articles/manage-your-credentials#Add_credentials) that Fluid Attacks generated for your organization. **Trust policy breakdown**The trust policy above contains four key elements: 1. **Principal (** `"AWS": "*"` **)\*\***:\*\* Although this field allows any AWS account to assume the role, the conditions below restrict actual access. 1. **Action (** `sts:AssumeRole` **)\*\***:\*\* This action permits external entities to assume the role. 1. **Condition** **(** `aws:PrincipalArn` **)\*\***:\*\* This condition restricts role assumption exclusively to Fluid Attacks' production role (`arn:aws:iam::205810638802:role/prod_integrates`). 1. **Condition** **(** `sts:ExternalId` **)\*\***:\*\* This shared secret between Fluid Attacks and your organization verifies that assumption requests genuinely originate from Fluid Attacks, preventing unauthorized access. **Assign permissions to the role**27. Click **Next** to proceed to the permissions configuration. You may select the **ReadOnlyAccess** permission, but Step 8 shows you a recommended user-managed policy used to clone CodeCommit repositories. Select ReadOnlyAccess for Fluid Attacks integration

Select ReadOnlyAccess for Fluid Attacks integration

1. Create or attach a policy that grants access to your CodeCommit repositories. To follow the principle of least privilege, this is the policy Fluid Attacks recommends: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CodeCommitAccess", "Effect": "Allow", "Action": ["codecommit:Get*", "codecommit:GitPull"], "Resource": [""] } ]} ``` Replace `` with the actual ARN of your repository. To grant access to multiple repositories, add their ARNs to the `Resource` array. 1. Click **Next** to review your role configuration. 1. Provide a name for the role (e.g., `FluidAttacksCodeCommit`) and add a description. Enter Role name for Fluid Attacks integration

Enter Role name for Fluid Attacks integration

1. Click **Create role** to finish the setup. 1. Locate your new role in the IAM roles list and click on it to view its details. 1. Copy the **ARN** (Amazon Resource Name) displayed at the top of the role summary. You need this value to [complete the configuration](https://help.fluidattacks.com/portal/en/kb/articles/manage-your-credentials#Add_credentials) in the Fluid Attacks platform. Get IAM Role ARN for Fluid Attacks integration

Get IAM Role ARN for Fluid Attacks integration

## Use AWS CloudFormation templates You can automate the role creation process using AWS CloudFormation. This method is ideal for infrastructure-as-code workflows and multi-account deployments. First, create the template, then, deploy it using either of the following options: 1. [AWS CLI](https://help.fluidattacks.com/portal/en/kb/articles/set-up-an-aws-iam-role#Deploy_using_the_AWS_CLI) 1. [AWS Management Console](https://help.fluidattacks.com/portal/en/kb/articles/set-up-an-aws-iam-role#Deploy_using_the_AWS_Management_Console) ### Create the CloudFormation template 1. Create a new file with a .yaml extension. 1. Copy the following CloudFormation template into the file: ``` Resources: CodeCommitAccessRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - "sts:AssumeRole" Principal: AWS: - "*" Condition: ArnEquals: aws:PrincipalArn: "arn:aws:iam::205810638802:role/prod_integrates" StringEquals: sts:ExternalId: "" Description: Role to grant Fluid Attacks access to CodeCommit repositories ManagedPolicyArns: - arn:aws:iam::aws:policy/AWSCodeCommitReadOnly RoleName: FluidAttacksCodeCommit ``` 1. Replace `` with the [external ID](https://help.fluidattacks.com/portal/en/kb/articles/manage-your-credentials#Add_credentials) that Fluid Attacks generated for your organization. 1. Save the file. > [!TIP] > > This template uses the **AWSCodeCommitReadOnly** managed policy for simplicity. ### Deploy using the AWS CLI 1. [Install the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) if you have not already done so. 1. Configure your security credentials (`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`) for a user with permissions to create CloudFormation stacks and IAM resources. 1. Run the following command to deploy the stack: ``` aws cloudformation deploy --template-file \ --stack-name \ --capabilities CAPABILITY_NAMED_IAM ``` Replace `` with the path to your template file and `<stack-name>` with a descriptive name (e.g., `fluid-attacks-codecommit`). 1. After the deployment completes, retrieve the role ARN by running this: ``` aws iam get-role --role-name "FluidAttacksCodeCommit" ``` The command returns a JSON response containing the role details, including the ARN. ### Deploy using the AWS Management Console 1. Sign in to the AWS Management Console using an account with permissions to perform read and write operations for CloudFormation and IAM resources. 1. Use the search bar to locate the **CloudFormation** service and select it. Find CloudFormation to setup Fluid Attacks integration

Find CloudFormation to setup Fluid Attacks integration

1. In the CloudFormation Dashboard, click the **Create stack** dropdown and select **With new resources (standard)**. Create stack for Fluid Attacks integration

Create stack for Fluid Attacks integration

1. Under **Prerequisite - Prepare template**, select **Template is ready** and, under **Specify template**, select **Upload a template file**, then click **Choose file** and select the template you created. Create stack from template for Fluid Attacks integration

Create stack from template for Fluid Attacks integration

1. Click **Next** to proceed. 1. Enter a name for the stack and click **Next**. Name the stack for Fluid Attacks integration

1. On the **Configure stack options** page, you can leave the default settings. Click **Next**. 1. On the review page, scroll to the **Capabilities** section at the bottom and check the box acknowledging that CloudFormation may create IAM resources with custom names. Set CloudFormation Capabilities for Fluid Attacks integration

Set CloudFormation Capabilities for Fluid Attacks integration

1. Click **Submit** to begin the deployment and wait for the stack status to show 'CREATE_COMPLETE'. 1. Navigate to the **Resources** tab and click the **Physical ID** link for the role resource. This redirects you to the IAM Dashboard. 1. Copy the ARN from the role summary to use in the Fluid Attacks platform. ## Troubleshooting If you encounter issues when adding your AWS environment to the Fluid Attacks platform, verify the following: 1. **Role permissions:** Confirm that the role has the **AWSCodeCommitReadOnly** managed policy attached, or that your custom policy includes the `codecommit:Get*` and `codecommit:GitPull` actions for the target repositories. 1. **External ID:** Ensure that the external ID in your role's trust policy matches the external ID assigned to your organization by Fluid Attacks. A mismatch will cause role assumption to fail. 1. Repositories encrypted with custom AWS KMS Customer Managed Keys (CMK) may fail to clone with authentication errors(403). This occurs because custom KMS keys require explicit decrypt permissions that must be configured for both the CodeCommit service and individual users attempting to clone the repository, solutions: 1. Switch to AWS Managed Keys: Change your repository encryption settings to use the default AWS managed key (aws/codecommit). This automatically handles all necessary permissions. 1. If using custom CMK: Ensure your KMS key policy grants decrypt permissions to CodeCommit and IAM users have kms:Decrypt on the key. See AWS KMS Key Policies.