Getting Started

Want to manage access to your AWS infrastructure with ease? We have you covered. You can setup access management through Opal to AWS in minutes.

Supported Services

  • IAM Roles: Grant temporary and audited access to any AWS IAM role.

  • EC2 (Elastic Compute Cloud): Grant temporary and audited ssh sessions to any EC2 instance.

  • RDS (Relational Database Service): Grant temporary and audited database access to Postrges and MySQL databases on RDS.

  • EKS (Elastic Kubernetes Service): Grant temporary and audited access to any Kubernetes role on EKS.

Setup

Step 1 - Create an AWS connection

To get started, head to the Connections page and click on the Amazon Web Services tile to get started.

Click on the AWS tile to get started.

Click on the AWS tile to get started.

Step 2 - Create an IAM User for Opal

In order for Opal to manage AWS on your behalf, we'll need an IAM user with proper permission scopes. You can use the AWS Cloudformation stack included on the form to quickly make one with the permissions we need for all our features.


📘 Why doesn't Opal use a cross-account role?

We recognize AWS recommends cross-account roles over IAM users, but in order to maintain feature parity with our on-premise version we only support an IAM user credential at this moment.


Manually scoping Opal permissions

Opal requires fairly sensitive permissions to grant access to you environments. In order for us to grant your employees access, AWS requires our IAM user to have equal or greater access than what we're handing out.

We want to give you full transparency into how our systems operate. If you'd like to scope Opal down manually, here's the policies we need to support certain functions so you can mix and match.

Opal IAM User Policy

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
// Required for all use-cases
"sts:TagSession",
"sts:GetFederationToken",

// Required for flexible IAM policy support, see below warning
// to remove this
"*",

// Required for SSH access to EC2 instances
"ec2:DescribeInstances",
"ssm:DescribeInstanceProperties",
"ssm:GetConnectionStatus",
"ssm:TerminateSession",
"ssm:StartSession",
"ssm:DescribeSessions",

// Required for RDS support
"rds:DescribeDBInstances",
"rds-db:connect",

// Required for EKS support
"sts:AssumeRole",
"eks:DescribeCluster",
"eks:ListClusters",
"iam:ListRoleTags",
"iam:ListRoles"
],
"Resource": "*"
}
]
}

❗️Supporting IAM Role Policies without wildcarding

You may notice above that we have all AWS Actions setup with a wildcard. In order for Opal to grant federated access to IAM role policies, Opal needs to have equal permission scope to the policies it grants. The wildcard is a flexible way to ensure we will be able to grant any policy you want, but if you'd like to remove it you will need to attach any policies you want to import into Opal to the IAM user.


❗️Enable Opal for access management

If you want to use Opal to manage access to AWS resources, you will need to enable the Manage resources and groups from Opal in the Admin page. You can read more about how to do that here.


NEXT UP ➡️

Did this answer your question?