Skip to main content

Access Templates

After you've setup the Access Server, you should create one or more access templates. When a user needs to request access to an AWS account, they will base their request off an access template. The access template determines the IAM role that users are allowed to assume and under what conditions.

The process for creating access templates can roughly be broken into three steps:

  1. Decide which AWS accounts users need access to and what level of access they need.
  2. Create the corresponding roles in each AWS account.
  3. Create the corresponding access templates.

Creating Roles

You can create roles via the AWS console, CLI, or your standard deployment model (e.g. CloudFormation or Terraform).

The role's trust policy should be configured to allow the Access Server (whether your own or the Cloud Defense managed one) to assume the role and set the source identity. For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { 
		"AWS": "arn:aws:iam::111111111111:role/AccessServer-GetCredentialsFunctionServiceRole0AAE"
	  },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "8dc4ebf8-4384-49d1-897f-1fcbf766ac9d"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
		"AWS": "arn:aws:iam::111111111111:role/AccessServer-GetCredentialsFunctionServiceRole0AAE" 
	  },
      "Action": "sts:SetSourceIdentity"
    }
  ]
}

Replace the Principial.AWS values with the ARN of the Access Server's role, and the Condition.StringEquals.sts:ExternalId value with your Cloud Defense client ID. These values can be found in the Cloud Defense console on the Access Server page.

The sts:ExternalId condition is only strictly required if you are using the Cloud Defense managed Access Server.

You can find more example templates and roles in the Cloud Defense console when creating a new template.

Creating Access Templates

After you've created roles, login to the Cloud Defense console to create a corresponding access template for each role. The access template defines how a user is allowed to request access to a particular role and therefore AWS account. If or when a user's access request is approved, the user will request credentials from the Access Server, whereupon the Server will assume the template's role and generate and return credentials that are only valid for the duration specified in the access request.

Frequently Asked Questions

Why am I getting this error when retrieving credentials?

Error getting credentials. AccessDenied: User: arn:aws:sts::123456789012:assumed-role/AccessServer-GetCredentialsFunctionServiceRole/AccessServer-GetCredentialsFunction is not authorized to perform: sts:SetSourceIdentity on resource: arn:aws:iam::987654321098:role/access-server/CloudWatchLogsReadOnlyAccess

You need to add the sts:SetSourceIdentity action to the trust policy of the role in the target account. So based on the example error message above, the CloudWatchLogsReadOnlyAccess role needs to allow AccessServer-GetCredentialsFunctionServiceRole to perform the action of sts:SetSourceIdentity. Additionally, if the Access Server and the role it is trying to assume are in two different accounts, check that the AllowedRoleArns parameter is configured correctly.