Documentation
Login

AWS Connection

GRAX Managed Deployments require a cross-account IAM role with the permissions to create and manage the GRAX Application's infrastructure in a dedicated AWS Cloud account. You can create this IAM role automatically with GRAX's IAM Quick Deploy or manually create the required IAM role.

New AWS Connection

External ID: A Unique ID generated by GRAX for this connection which is used when creating the IAM role's Trust Policy See this AWS documentation for details.

Role ARN: The Amazon Resource Name for the cross-account IAM role you are providing to GRAX.

AWS IAM Quick Deploy

Ensure you are logged into your dedicated AWS account on another tab and click the "IAM Role Quick Deploy" button. GRAX will create a CloudFormation stack for an IAM cross-account role with the required permissions.

  1. Ensure you are logged into the target AWS account with an Admin level user or a user with access to create IAM cross-account roles.
  2. Click the IAM role Quick Deploy button. GRAX will open AWS in a new tab and load our certified CloudFormation template for the cross-account IAM role.
  3. Deploy the stack by clicking "Create Stack" in the lower right corner. You can also preview the IAM role and associated policies by creating a change set prior to creating the stack.
  4. After you create the stack or execute the change set, click on the Resources tab in the stack to view progress. After a few minutes the AssumeRole resource will have a status of CREATE_COMPLETE. You may need to refresh the page.
  5. Click on the link for grax-platform in the Physical ID column to open the newly created role.
  6. Copy the ARN value from this page and paste it into the ARN role field in GRAX Platform.
  7. Click Save in GRAX Platform.

AWS IAM Manual Creation

While our Quick Deploy process is highly recommended, your AWS Administrator can manually create the IAM role for GRAX if they choose to do so. The IAM role must have the following:

  • Trust Policy allowing sts:AssumeRole to GRAX AWS Account 999875163122.
    • A Trust Policy condition limiting to the External ID (copied from the Platform Connection referenced above) is highly recommended.
  • Permission to Create, List, and Delete all the necessary GRAX infrastructure.
    • The AdministratorAccess policy is the most straightforward way to accomplish this.

📘 GRAX Support cannot provide assistance with AWS IAM roles not created from our CloudFormation template.

Our Platform Connections documentation reviews GRAX Security practices and goes into more detail on best practices for this configuration.

Updated 1 day ago