Set up an AWS IAM role | Fluid Attacks Help

Set up an AWS IAM role

To allow Fluid Attacks to access your CodeCommit repositories, you must create an IAM role that grants cross-account access.

The process involves three steps:
  1. Obtain the external ID that Fluid Attacks generates for your organization. To do this, access the platform, navigate to Credentials > Add credentials > Add manually and choose AWS Role as credentials type.
  2. Create the IAM role using that external ID as a shared secret to verify that role assumption requests originate from Fluid Attacks.
  3. Provide the role's Amazon Resource Name (ARN) in the Fluid Attacks platform.
NotesIf your organization manages multiple AWS accounts, you can create this role in as many accounts as needed. Simply provide the corresponding ARN when adding credentials in the platform.
You can set up the role using either of the following methods:
  1. Manually through the AWS Management Console
  2. Programmatically using AWS CloudFormation templates

Manual configuration from AWS Management Console

Follow these steps to create the required role through the AWS user interface:
  1. Sign in to the AWS Management Console using an account with permissions to create IAM roles and attach policies.

  2. Use the search bar to locate the IAM service and select it.

    3. Select IAM for integration with Fluid Attacks platform

  3. In the IAM Dashboard, select Roles from the left sidebar menu.

    4. Go to Roles for integration with Fluid Attacks platform

  4. Click the Create role button.

    5. Create IAM role for integration with Fluid Attacks platform

  5. In the Trusted entity type section, select Custom trust policy.

    6. Set IAM Role policy for Fluid Attacks integration

  6. In the code editor that appears below, paste the following JSON policy:

    7. {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "FluidAttacksAccess",
          "Effect": "Allow",
          "Principal": {
            "AWS": "*"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "ArnEquals": {
              "aws:PrincipalArn": "arn:aws:iam::205810638802:role/prod_integrates"
            },
            "StringEquals": {
              "sts:ExternalId": "<YOUR-EXTERNAL-ID>"
            }
          }
        }
      ]
    }

    Replace <YOUR-EXTERNAL-ID> with the external ID that Fluid Attacks generated for your organization.

    Trust policy breakdown
    The trust policy above contains four key elements:
    1. Principal ( "AWS": "*" ):   Although this field allows any AWS account to assume the role, the conditions below restrict actual access.
    2. Action ( sts:AssumeRole ):  This action permits external entities to assume the role.
    3. Condition ( aws:PrincipalArn ):   This condition restricts role assumption exclusively to Fluid Attacks' production role (arn:aws:iam::205810638802:role/prod_integrates).
    4. Condition ( sts:ExternalId ):   This shared secret between Fluid Attacks and your organization verifies that assumption requests genuinely originate from Fluid Attacks, preventing unauthorized access.

    Assign permissions to the role
  7. Click Next to proceed to the permissions configuration. You may select the ReadOnlyAccess permission, but Step 8 shows you a recommended user-managed policy used to clone CodeCommit repositories.

    8. Select ReadOnlyAccess for Fluid Attacks integration

  8. Create or attach a policy that grants access to your CodeCommit repositories. To follow the principle of least privilege, this is the policy Fluid Attacks recommends:

    9. {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "CodeCommitAccess",
          "Effect": "Allow",
          "Action": ["codecommit:Get*", "codecommit:GitPull"],
          "Resource": ["<REPO-ARN>"]
        }
      ]
    }
    Replace <REPO-ARN> with the actual ARN of your repository. To grant access to multiple repositories, add their ARNs to the Resource array.

  9. Click Next to review your role configuration.

  10. Provide a name for the role (e.g., FluidAttacksCodeCommit) and add a description.

    11. Enter Role name for Fluid Attacks integration

  11. Click Create role to finish the setup.

  12. Locate your new role in the IAM roles list and click on it to view its details.

  13. Copy the ARN (Amazon Resource Name) displayed at the top of the role summary. You need this value to complete the configuration in the Fluid Attacks platform.

    14. Get IAM Role ARN for Fluid Attacks integration

Use AWS CloudFormation templates

You can automate the role creation process using AWS CloudFormation. This method is ideal for infrastructure-as-code workflows and multi-account deployments.

First, create the template, then, deploy it using either of the following options:
  1. AWS CLI
  2. AWS Management Console

Create the CloudFormation template

  1. Create a new file with a .yaml extension.

  2. Copy the following CloudFormation template into the file:

    3. Resources:
      CodeCommitAccessRole:
        Type: AWS::IAM::Role
        Properties:
          AssumeRolePolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "sts:AssumeRole"
                Principal:
                  AWS:
                    - "*"
                Condition:
                  ArnEquals:
                    aws:PrincipalArn: "arn:aws:iam::205810638802:role/prod_integrates"
                  StringEquals:
                    sts:ExternalId: "<YOUR-EXTERNAL-ID>"
          Description: Role to grant Fluid Attacks access to CodeCommit repositories
          ManagedPolicyArns:
            - arn:aws:iam::aws:policy/AWSCodeCommitReadOnly
          RoleName: FluidAttacksCodeCommit

  3. Replace <YOUR-EXTERNAL-ID> with the external ID that Fluid Attacks generated for your organization.

  4. Save the file.
Notes
This template uses the AWSCodeCommitReadOnly managed policy for simplicity.

Deploy using the AWS CLI

  1. Install the AWS CLI if you have not already done so.

  2. Configure your security credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) for a user with permissions to create CloudFormation stacks and IAM resources.

  3. Run the following command to deploy the stack:

    4. aws cloudformation deploy --template-file <path/to/template.yaml> \
      --stack-name <stack-name> \
      --capabilities CAPABILITY_NAMED_IAM

    Replace <path/to/template.yaml> with the path to your template file and <stack-name> with a descriptive name (e.g., fluid-attacks-codecommit).

  4. After the deployment completes, retrieve the role ARN by running this:

    5. aws iam get-role --role-name "FluidAttacksCodeCommit"
    The command returns a JSON response containing the role details, including the ARN.

Deploy using the AWS Management Console

  1. Sign in to the AWS Management Console using an account with permissions to perform read and write operations for CloudFormation and IAM resources.

  2. Use the search bar to locate the CloudFormation service and select it.

    3. Find CloudFormation to setup Fluid Attacks integration

  3. In the CloudFormation Dashboard, click the Create stack dropdown and select With new resources (standard).

    4. Create stack for Fluid Attacks integration

  4. Under Prerequisite - Prepare template, select Template is ready and, under Specify template, select Upload a template file, then click Choose file and select the template you created.

    5. Create stack from template for Fluid Attacks integration

  5. Click Next to proceed.

  6. Enter a name for the stack and click Next.

    7. Name the stack for Fluid Attacks integration

  7. On the Configure stack options page, you can leave the default settings. Click Next.

  8. On the review page, scroll to the Capabilities section at the bottom and check the box acknowledging that CloudFormation may create IAM resources with custom names.

    9. Set CloudFormation Capabilities for Fluid Attacks integration

  9. Click Submit to begin the deployment and wait for the stack status to show 'CREATE_COMPLETE'.

  10. Navigate to the Resources tab and click the Physical ID link for the role resource. This redirects you to the IAM Dashboard.

  11. Copy the ARN from the role summary to use in the Fluid Attacks platform.

Troubleshooting

If you encounter issues when adding your AWS environment to the Fluid Attacks platform, verify the following:
  1. Role permissions: Confirm that the role has the AWSCodeCommitReadOnly managed policy attached, or that your custom policy includes the codecommit:Get* and codecommit:GitPull actions for the target repositories.
  2. External ID: Ensure that the external ID in your role's trust policy matches the external ID assigned to your organization by Fluid Attacks. A mismatch will cause role assumption to fail.
  3. Repositories encrypted with custom AWS KMS Customer Managed Keys (CMK) may fail to clone with authentication errors(403). This occurs because custom KMS keys require explicit decrypt permissions that must be configured for both the CodeCommit service and individual users attempting to clone the repository, solutions:
    1. Switch to AWS Managed Keys: Change your repository encryption settings to use the default AWS managed key (aws/codecommit). This automatically handles all necessary permissions.
    2. If using custom CMK: Ensure your KMS key policy grants decrypt permissions to CodeCommit and IAM users have kms:Decrypt on the key. See AWS KMS Key Policies.