Connect Opsidian to your AWS account

For Opsidian to work you need to grant it access to your AWS account. You can do this in two ways:

  • Connect by providing an Access Key ID and a Secret Key
  • Connect by providing a cross-account role ARN
  • Connect by providing an Access Key ID and a Secret Key

    How it works

    Access keys consist of an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). Access keys are used to sign programmatic requests that are made to AWS.
    It is a good practice to create a new IAM user, whose purpose will be to interact with Opsidian. Opsidian requires only read-only access to your resources, so be sure to attach the "ReadOnlyAccess" policy to the IAM user. Opsidian encrypts the keys before storing them.
    At any time you can delete or make the keys inactive in your AWS Console. If you do that, Opsidian will no longer have access to your AWS resources.
    We have created a CloudFormation template, that creates a user and attaches an appropriate policy. It's up to you to decide if you want to create the resources manually or use our "Launch Stack" button.

    How to create the keys manually

    1. Navigate to the IAM service in your AWS console.
    2. Click "Users" on the left sidebar, next click "Create New Users".
    3. Enter "opsidian" into the "User name" text field, select "Programmatic access" in "Access type" and click "Next: Permissions".
    4. Click "Attach existing policies directly" and select the AWS managed "ReadOnlyAccess" policy on the list.
    5. Click "Next: Review" and "Create user".
    6. In Slack run:
      /ops account add keys name=<account_name> key=<aws_access_key_id> secret=<aws_secret_key> region=<region_name>

      Replace <account_name> with something you will be able to recognize your account by.
      Replace <aws_access_key_id> with the value of the Access Key ID and <aws_secret_key> with the value of the Secret Access Key copied from the AWS console.
      Replace <region_name> with the region you would like to use as default (e.g. eu-west-1).

    How to create the keys using our CloudFormation template

    The CloudFormation template creates a user with the "ReadOnlyAccess" policy attached. You can review the template, before clicking the button.

    1. Click the Launch Stack button and click "Next".
    2. Click "Next" until you see the "Create" button.
    3. Check the "I acknowledge that AWS CloudFormation might create IAM resources" checkbox and click "Create".
    4. When the resources finish creating, go to the Outputs tab, you will see your keys there.
    5. In Slack run:
      /ops account add keys name=<account_name> key=<aws_access_key_id> secret=<aws_secret_key> region=<region_name>

      Replace <account_name> with something you will be able to recognize your account by.
      Replace <aws_access_key_id> with the value of AccessKeyId and <aws_secret_key> with the value of SecretAccessKey copied from the "Output" tab.
      Replace <region_name> with the region you would like to use as default (e.g. eu-west-1).

    Connect by providing a cross-account role ARN

    How it works

    Granting access to resources in one account to a trusted principal in a different account is often referred to as cross-account access. In a trust relationship, you define which AWS account can assume a role in your AWS account. Once the role is assumed, the trusted AWS account obtains permissions that are specified by that role. In practice this means that the role can only be used by the trusted account.
    Opsidian requires only read-only access to your resources, so be sure to attach the "ReadOnlyAccess" policy to the role. Opsidian encrypts the ARN and the External ID before storing them.
    At any time you can revoke active sessions and delete the role in your AWS Console. If you do that, Opsidian will no longer have access to your AWS resources.
    We have created a CloudFormation template, that creates a cross-account role and attaches an appropriate policy. It's up to you to decide if you want to create the resources manually or use our "Launch Stack" button.

    How to create the role ARN manually

    1. Navigate to the IAM service in your AWS console.
    2. Click "Roles" on the left sidebar, next click "Create New Role".
    3. Enter "opsidian" into the text field and click "Next Step".
    4. Click "Role for Cross-Account Access" and select "Provide access between your AWS account and a 3rd party AWS account".
    5. Fill in the Account ID with the value: 326365640391
    6. Fill in the External ID with the domain name of your Slack team (it's the first path of the address of your team: team_domain.slack.com) and click "Next Step".
    7. Select the "ReadOnlyAccess" policy and click "Next Step".
    8. Copy the role ARN into your clipboard.
    9. Click "Create Role" in the AWS Console.
    10. In Slack run:
      /ops account add cross-account name=<account_name> arn=<role_arn> region=<region_name>

      Replace <account_name> with something you will be able to recognize your account by.
      Replace <role_arn> with the value copied from the AWS console.
      Replace <region_name> with the region you would like to use as default (e.g. eu-west-1).

    How to create the role ARN using our CloudFormation template

    The CloudFormation template creates a role for cross-account access for Opsidian's AWS account, with the "ReadOnlyAccess" policy attached. You can review the template, before clicking the button.

    1. Click the Launch Stack button and click "Next".
    2. Enter the domain name of your Slack team (it's the first path of the address of your team: team_domain.slack.com) into the "SlackTeamName" field.
    3. Click "Next" until you see the "Create" button.
    4. Check the "I acknowledge that AWS CloudFormation might create IAM resources" checkbox and click "Create".
    5. When the resources finish creating, go to the Outputs tab and copy the role ARN.
    6. In Slack run:
      /ops account add cross-account name=<account_name> arn=<role_arn> region=<region_name>

      Replace <account_name> with something you will be able to recognize your account by.
      Replace <role_arn> with the value copied from the "Output" tab.
      Replace <region_name> with the region you would like to use as default (e.g. eu-west-1).

    Powered by PrettyDocs.

    Address

    Antinkatu 1 A
    00100 Helsinki, Finland
    Business ID: 2670712-7
    © Opsidian 2018