Create IAM Role

(Recommended) Learn how to create an IAM Role in order to securely delegate Sedai uninterrupted access to your AWS resources.

Use CloudFormation to automatically create an IAM Role and attach Sedai's policies.

If you prefer to manually create an IAM Role with sufficient privileges for Sedai to access your topology, you must have access to your organization's AWS Console and permission to create a new IAM Role.

To grant Sedai access to your resources, you will create an IAM Role and link

If you plan to connect multiple EKS clusters from the same environment to Sedai, you will only need to create one IAM Role. The same ARN can be used to connect each cluster to Sedai.

Choose your preferred method of creating the IAM Role:

Go to Settings > Integrations and select Connect Cloud.
Select AWS as your cloud provider & select your resource types and the cloud products you'd like Sedai to manage.
After giving you cloud a nickname, click the button the Launch CloudFormation (Make sure you're logged in to the AWS account you wish to integrate with Sedai)
On the screen that will open in the CloudFormation console, leave the selections as is and click Next.
In the Specify stack details page, enter the stack name.
In the Sedai app configuration section, leave the custom external ID field empty (unless a custom external ID was provided previously).
In the Permission section, select which cloud products you'd like Sedai to manage (please ensure this matches the selections you previously made within Sedai when connecting your account)
Click Next, then scroll down and click Next again.
In the Review and create page, check the capabilities and click Submit

Make sure you're logged in to the AWS account you'd like to integrate with Sedai.
Go to the CloudFormation console
Click Create Stack and select With new resources (standard)
Under Prepare template, select Template is ready
Under Specify template, select Amazon S3 URL. Provide the following link then click Next:

https://sedai-onboarding-templates-prod.s3.amazonaws.com/nested/sedai-integration-main.yml

In the Specify stack details page, enter the stack name.
In the Sedai app configuration section, leave the custom external ID field empty (unless a custom external ID was provided previously).
In the Permission section, select which cloud products you'd like Sedai to manage (please ensure this matches the selections you previously made within Sedai when connecting your account)
Click Next, then scroll down and click Next again.
In the Review and create page, check the capabilities and click Submit.

This approach requires your AWS CLI to be configured.

1. Download the Sedai IAM Policy.

2. Create IAM policy:

aws --profile AWS_PROFILE iam create-policy --policy-name SedaiAWSIntegrationIamPolicy --policy-document file://sedai-policy.json

3. Create IAM Role and attach policy:

curl -o assume-role-policy.json https://raw.githubusercontent.com/SedaiEngineering/sedai-onboarding/main/aws/sedai-assume-role-policy-document.json
aws --profile AWS_PROFILE iam create-role --role-name SedaiAWSIntegrationRole --assume-role-policy-document file://assume-role-policy.json
aws --profile AWS_PROFILE iam attach-role-policy --role-name SedaiAWSIntegrationRole --policy-arn "arn:aws:iam::737058061372:policy/SedaiAWSIntegrationIamPolicy"

4. Copy the ARN. This will be used to add your connect your resources to Sedai from the Integrations page.

Updating a CloudFormation Stack with Change Sets

When updating a CloudFormation stack, change sets allow you to preview planned changes before applying them, ensuring no unintended consequences. To do this, follow this proces:

Access the CloudFormation console within the AWS Management Console.
Select the desired stack from the list and select the Change Sets tab.
Click Create change set then name the change set.
On the page to specify the template, choose Use current template and click Next.
Update the Permission section to add or remove permissions.
Click Next, then scroll down and click Next again.
In the Review and create page, check the capabilities and click Submit.
Review the planned changes then click Execute change set.
On the Execute change set? pop up, review the planned changes and specify your preferred options (We recommend using the pre-selected options).
Click Execute change set to enact the changes.

After updating a CloudFormation stack, we recommend monitoring the deployment.

Monitoring the Deployment

When you create or update a CloudFormation stack, you can track the update's progress ensure to it's functioning properly. Within the CloudFormation console, the Events tab displays the status of each resource during the update process. Refresh this tab to ensure it shows the CREATE_COMPLETE or UPDATE_COMPLETE status. If the deployment has failed, try re-deploying it.

Learn more about IAM Roles:

IAM roles - AWS Identity and Access ManagementAWS Identity and Access Management

Last updated 1 month ago