Adding a role

Trust policy

You must use the following trust policy for your role, filling in the AWS_ACCOUNT_ID placeholder:

trust_policy.json

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${AWS_ACCOUNT_ID}:root"
},
"Action": "sts:AssumeRole"
}
]
}

Creating a role

Here is an example invocation for creating a role with the above trust policy file:

Creating an IAM role for Opal

aws iam create-role \ --role-name MyRoleWithPoliciesToBeManagedByOpal \ --assume-role-policy-document file://trust_policy.json \ --tags Key=opal,Value="" \ --description "My role containing policies to be managed by Opal"

Attaching policies to a role

Now attach all the policies you want to show up in Opal under this role. You can do this in the AWS Console below:

Attaching policies to an Opal role.

Attaching policies to an Opal role.

Terraform

If you use Terraform, for an existing aws_iam_role, you can use the following arguments for the role you want to manage with Opal:

assume_role_policy = <<POLICY 
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${AWS_ACCOUNT_ID}:root"
},
"Action": "sts:AssumeRole"
}
]
}

POLICY

tags = {
opal = ""
}

You can add policies to the aws_iam_role via the aws_iam_role_policy_attachment resource.


Getting access to roles in Opal

Once you've added roles to Opal, you can find and request them easily in the Permissions page under the AWS IAM tab.

An Opal AWS IAM role in the

An Opal AWS IAM role in the Permissions page.

AWS IAM roles are session based, meaning your developers need to initiate their role-based session by clicking on the Connect button on the permission.

Starting an IAM role session.

Starting an IAM role session.

Once a session is started, you'll be able to access the AWS Console (the Amazon GUI) directly or update your CLI with this role's permissions.

Using an AWS IAM role session in Opal.

Using an AWS IAM role session in Opal.


🚧 Considerations if you setup an IAM user for Opal manually

If you decided to modify your AWS connection's permissions manually to remove the wildcard (see below) you won't be able to grant access to IAM role policies without making custom changes to you IAM user.

In order to support those policies, you'll need to add the policies in question to your Opal user so it can grant access to those policies.


Common errors

Session creation failed when starting a session in Opal

Verify that the trust policy is attached to the IAM role.

NEXT UP ➡️

Did this answer your question?