Introduction to the role-based provisioning credential for AWS
Creating a credential is a prerequisite for creating an environment. On AWS, you have a single option for creating a cloud credential: a role-based credential.
When working with an AWS environment, you are required to configure a way for CDP to authenticate with your AWS account and obtain authorization to create resources on your behalf. On AWS, there is a single option for doing this: the role-based credential. Role-based authentication uses an IAM role with an attached IAM policy that has the minimum permissions required to use CDP. As stated in AWS docs:
"An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session."
Role-based | |
---|---|
IAM entity used by the credential | A cross-account IAM role |
Security mechanism | An IAM role does not have standard long-term credentials such as a
password or access keys associated with it. Instead, when an entity assumes
a role, temporary security credentials for the role session are
generated. Since CDP is set up with an AssumeRole policy, it can assume the IAM role. For more information about AssumeRole and granting permissions to create temporary security credentials, refer to AWS docs. |
Use case | Suitable for an organization as it allows multiple users to use the same IAM role. |
Overview of configuration steps | 1. In the IAM console on AWS, create an IAM policy and a cross-account
IAM role, and then assign the IAM policy to the IAM role. 2. Register the role ARN as a credential in CDP. Once done, CDP can assume the IAM role. |