Morpheus Integration with AWS using Role ARN without Access Key & Secret Keys

ranujain · February 6, 2024, 4:38am

Hi Experts,

We would like to avoid using IAM user (access key / secret key) when integrating. as there are more than 30 accounts, it will be a challenge when we need to cycle our key later. i saw we can use assume role, but there’s no detailed instruction on how to setup the assume role and external id.

Thanks

kgawronski · February 6, 2024, 5:07am

Hello @ranujain,

When configuring your AWS account as a cloud in Morpheus, you will enter the credentials of the user that is allowed to assume into the roles in the other accounts. As well, you’ll enter the Role ARN for the target Cloud you are connecting to, which should have the needed permissions for Morpheus. If your role requires an external ID, enter that as well.

Below is an example of an account I have added using credentials from my management account and the Role ARN from a child account in AWS Organizations. I don’t use the external ID in my example but you can populate that as well, if that is a requirement. If successful, and the proper permissions are on the assumed role, the VPCs should populate for the cloud or at least not mention an error about your credentials.

Hope that helps!

yingshuang · March 27, 2024, 6:34am

Hello @kgawronski

Thank you for your information.

I think you may miss pasting the hyperlink for “needed permissions” in your reply. could you please re-share the link for any needed permission of assumerole for Morpheus?

Thank you.

Tyler_Boyd · March 27, 2024, 12:29pm

Should work now

ranujain · March 28, 2024, 4:54am

Hi @Tyler_Boyd - I believe Morpheus has not implemented this function where customers can use only the Assume Role & External ID option and not using the access & secret key. Because we cannot move forward without providing IAM user’s security credentials. Please check below idea raised for the same.

Tyler_Boyd · March 28, 2024, 1:22pm

That idea is closed and is marked to have been added in version 6.0.2

yingshuang · April 1, 2024, 4:23am

Hello @Tyler_Boyd ,

I understood that it has enhanced to support Assume IAM Role and External ID at 6.0.2.

But the customer is asking if can use Assume IAM Role and External ID only instead of using AWS Access Key and Secret Key for AWS integration?

I assume this is not supported? Am I correct?

Thank you.

Tyler_Boyd · April 1, 2024, 12:40pm

To assume into an AWS role you need to be authenticated into the account that has been granted access to assume into the role specified.

If Morpheus is hosted in AWS you can apply the IAM to the EC2 instance directly, that way an access key and secret key is not required.

Topic		Replies	Views
:white_check_mark: AWS Cloud Onboarding Ideas clouds , accepted , closed	6	523	March 10, 2023
Adding AWS cloud with cross-account access and External ID Infrastructure clouds , aws , infrastructure , amazon	0	60	July 29, 2024
Requirement to use AssumeRole for AWS integration Infrastructure clouds	0	79	March 25, 2024
ARN user is not authorized to perform: sts:AssumeRole on resource Administration clouds	7	169	May 17, 2024
AWS account integration with Morpheus is throwing error using ROLE ARN (without using Access/secret keys)) Administration clouds , aws	0	234	March 3, 2023

Morpheus Integration with AWS using Role ARN without Access Key & Secret Keys

Related topics