Configuring AWS Account
Enterprise customers only
To start building integrations, it is necessary connect your AWS account with TunnelHub using an STS Role. To getting started, execute these actions:
As we use CDK for creating objects, it is necessary you bootstrap CDK in your AWS Account manually. You can check the details here and here.
TL;DR: npm install -g aws-cdk && cdk bootstrap aws://ACCOUNT-NUMBER/REGION
With your account bootstrapped, follow these guidelines:
Go to AWS Console and select Identity and Access Management (IAM)
Click on Roles on the left menu
Press the button "Create role"
The trusted entity type must be "AWS account"
The Account ID must be the TunnelHub.io master account, which code is 521944920347
The option "Require external ID (Best practice when a third party will assume this role)" must be checked, and the External ID must be your TunnelHub Tenant ID.
Press Next button
In the next screen, we must select what permissions this role will have. It is possible to select the AdministratorAccess prebuilt role but is not recommended, because it is too permissive. Our recommendation is to create a new policy by clicking on the button "Create policy". Use this JSON as a template, replacing {account_id} with your AWS Account ID:
{
"Statement": [
{
"Action": "acm:*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Product": "TunnelHub"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "VisualEditor0"
},
{
"Action": "cognito-identity:*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Product": "TunnelHub"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "VisualEditor1"
},
{
"Action": "cognito-idp:*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Product": "TunnelHub"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "VisualEditor2"
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem",
"dynamodb:CreateBackup",
"dynamodb:CreateTable",
"dynamodb:CreateTableReplica",
"dynamodb:DeleteBackup",
"dynamodb:DeleteItem",
"dynamodb:DeleteTable",
"dynamodb:DeleteTableReplica",
"dynamodb:DescribeBackup",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeContributorInsights",
"dynamodb:DescribeExport",
"dynamodb:DescribeKinesisStreamingDestination",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:DescribeTableReplicaAutoScaling",
"dynamodb:DescribeTimeToLive",
"dynamodb:DisableKinesisStreamingDestination",
"dynamodb:EnableKinesisStreamingDestination",
"dynamodb:ExportTableToPointInTime",
"dynamodb:GetItem",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:ListTagsOfResource",
"dynamodb:PartiQLDelete"
"dynamodb:PartiQLInsert",
"dynamodb:PartiQLSelect",
"dynamodb:PartiQLUpdate",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:RestoreTableFromAwsBackup",
"dynamodb:RestoreTableFromBackup",
"dynamodb:RestoreTableToPointInTime",
"dynamodb:Scan",
"dynamodb:StartAwsBackupJob",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"dynamodb:UpdateContinuousBackups",
"dynamodb:UpdateContributorInsights",
"dynamodb:UpdateItem",
"dynamodb:UpdateTable",
"dynamodb:UpdateTableReplicaAutoScaling",
"dynamodb:UpdateTimeToLive",
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetPolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListPolicyTags",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:PassRole",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy",
"iam:TagPolicy",
"iam:TagRole",
"iam:UntagPolicy",
"iam:UntagRole",
"iam:UpdateRole",
"iam:UpdateAssumeRolePolicy",
],
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:*:{account_id}:table/TunnelHub",
"arn:aws:dynamodb:*:{account_id}:table/TunnelHub/backup/*",
"arn:aws:dynamodb:*:{account_id}:table/TunnelHub/export/*",
"arn:aws:dynamodb:*:{account_id}:table/TunnelHub/index/*",
"arn:aws:dynamodb:*:{account_id}:table/TunnelHub/stream/*",
"arn:aws:iam::{account_id}:policy/TH-*",
"arn:aws:iam::{account_id}:role/TH-*"
],
"Sid": "VisualEditor3"
},
{
"Action": [
"dynamodb:DescribeLimits",
"dynamodb:DescribeReservedCapacity",
"dynamodb:DescribeReservedCapacityOfferings",
"dynamodb:ListBackups",
"dynamodb:ListContributorInsights",
"dynamodb:ListExports",
"dynamodb:ListStreams"
"dynamodb:ListTables",
"dynamodb:PurchaseReservedCapacityOfferings",
"iam:ListRoles",
"iam:ListPolicies"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "VisualEditor4"
}
],
"Version": "2012-10-17"
}With the release of new functions, maybe is necessary to change these permissions. You can always return to this documentation to check the updated policy template permissions. To finish, execute the following steps:
Select the policy created and click on the "Next" button.
Provide a friendly Role name and description
Add desired tags
Click on the "Create role" button
Now that the role has been created copy the ARN and enter that information in TunnelHub settings. You can use the "Check connection" button to verify if the connection is working as expected.
Last updated