TrueFoundry supports integrating with multiple AWS services like S3, ECR, SSM, EKS etc. To integrate any of the above services, you simply need to add your AWS account as a provider account and add integrations in the Integration Providers section in the Platform page.

Share access with users, teams or everyone in your TrueFoundry account

As shown in the previous slides, you can share access of each integration with users, teams or everyone in your TrueFoundry account. This would allow them to view and use the integration. Only tenant-admins can edit the integrations.

Generate Access Key or Assumed Role

The document below will guide you on how to create an IAM role with assume role and add the required permissions to that role. If you have used the TrueFoundry terraform code, an IAM role will already be created and attached here. You can also create a new one to allow for specific permissions if needed. You can create an IAM user with the required permissions and generate an access key and secret key to add integration. For AWS, TrueFoundry supports both IAM user and IAM role.

Create an IAM role with assume role

The role should have following trust policy added.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::416964291864:role/tfy-ctl-euwe1-production-truefoundry-deps"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}
If you plan to use IAM role for workflows, make sure to add the following trust relationship to it so that workflow propeller can assume this role to access the storage bucket.
{
    "Effect": "Allow",
    "Principal": {
        "Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/oidc.eks.<AWS_REGION>.amazonaws.com/id/<OIDC_ID>"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
        "StringEquals": {
            "oidc.eks.<AWS_REGION>.amazonaws.com/id/<OIDC_ID>:sub": "system:serviceaccount:tfy-workflow-propeller:flytepropeller",
            "oidc.eks.<AWS_REGION>.amazonaws.com/id/<OIDC_ID>:aud": "sts.amazonaws.com"
        }
    }
}
To create this IAM role, you must first save this trust policy in your local system as a JSON file. You can then use the following commands to create the role.
aws iam create-role --role-name <ROLE_NAME> --assume-role-policy-document file://<TRUST_POLICY_FILE.json>

Following steps are required for each integration

You can also attach the following policies to the IAM role/user for each integration. Ensure that you replace the AWS_REGION and ACCOUNT_ID with your own.