Zonké Docs

Creating an IAM Access Role

An Identity and Access Management (IAM) role is an AWS resource that defines permissions for a service to access AWS resources. To grant Zonké access to your AWS resources, you need to create an IAM role with the required permissions.

How we keep your account secure

To create infrastructure on your behalf, Zonké requires admin-level permissions to your AWS account. We use these permissions to create resources like S3 buckets, CloudFront distributions, and Lambda functions. We do not store your AWS credentials. Instead, we use the AWS Security Token Service (STS) to generate temporary credentials that expire after a short period. We follow these AWS best practices to keep your account secure:

  1. We use the principle of least privilege to grant only the permissions required to create and manage resources on Zonké.
  2. The IAM role you will create has a trust relationship with one Zonké account.
  3. The role's trust policy has an external ID that is unique to each account you create to avoid the Confused Deputy Problem.
  4. The account we use to create resources on your behalf is a passthrough account, it is not the same account we use to manage Zonké.

Prerequisites - On Zonké

Before you create an IAM role, you need to add your account to Zonké. Follow these steps to add your account:

  1. Open the Zonké dashboard at https://zonke.dev/dashboard/ and select your organization.
  2. Click Create Account in the dropdown.
Create Account Dropdown
  1. Fill in the account details and click Create.
  2. You will need the Access Role, Account ID, External ID, and Permission Policy provided on the account page.
  3. Keep this page open as you will need it for the next steps.

Create Permission Policy - On AWS

  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Policies.
  3. Click the Create policy button.
  4. Choose the JSON tab and paste the policy above into the editor.
  5. Click the Next button.
  6. Enter a name for the policy and click the Create policy button.

Creating the IAM Role - On AWS

  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Roles.
  3. Click the Create role button.
  4. Choose AWS account as the trusted entity.
  5. Choose Another AWS account as the account ID
  6. Enter the account ID provided on the Zonké account page.
  7. Check the Require external ID box.
  8. Enter the external ID provided on the Zonké account page.
  9. Click the Next button.
  10. Search and attach the permission policy you created earlier.
  11. Click the Next button.
  12. Enter a name for the role provided on the Zonké account page and a description.
  13. Click the Create role button.

Confirm Access Role - On Zonké

  1. Open the Zonké account page and click the Verify button.
Verify Access Role
  1. We will create a free resource to verify the role. If the resource is created successfully, your role is set up correctly. You should see a success message.
  2. If the resource is not created, check the permissions and external ID and try again. If you need help, contact us at support@zonke.dev.