Connections represent cross-account policies that allow GRAX tools to perform deployments, updates, and deletes within your cloud provider account. Connections can be set and removed via the GRAX Platform UI. Instructions for creating supporting resources for Connections are provided below for AWS and Azure.

Create an AWS Connection

Create Role

There are two ways to create the required role. Use one of the following:

Option 1 - Using AWS Console

  1. Go to Connections and click Add AWS Connection.
  2. Click IAM Role Quick Deploy.
  3. Enable the checkbox with text "I acknowledge that AWS CloudFormation might create IAM resources with custom names."
  4. Click Create Stack and wait a couple of seconds. Then, click Outputs, the fourth tab. Find the value of AssumeRoleArn and copy it.
  5. At the New AWS Connection page, Fill Role ARN with the value copied at the previous step and press Save.

Option 2 - Using AWS CLI

  1. Replace "your-external-id" with your ExternalId and run the following script.

    # Create role using Cloudformation, wait for completion,and obtain the role arn from the output
    aws cloudformation create-stack \
    --stack-name grax-platform \
    --template-url https://s3.amazonaws.com/grax-public-templates/master/cloudformation/grax-role.yml \
    --parameters ParameterKey=ExternalId,ParameterValue=$ExternalId \
    --capabilities CAPABILITY_NAMED_IAM --output text 2>&1 > /dev/null &&
    aws cloudformation wait stack-create-complete --stack-name grax-platform &&
    aws cloudformation describe-stacks --stack-name grax-platform --query 'Stacks[0].Outputs[?OutputKey==`AssumeRoleArn`].OutputValue' --output text
  2. Copy the output from the script

  3. At the New AWS Connection page, Fill Role ARN with the value copied at the previous step and press Save.

Create an Azure Connection

The easiest way to create a service principal is using the Azure CLI.

Create a Service Principal

First, ensure that you are logged in:

az login
    "cloudName": "AzureCloud",
    "id": "subscrip-abcd-abcd-abcd-abcdabcdabcd",
    "isDefault": "true",
    "name": "Pay-As-You-Go",
    "state": "Enabled",
    "tenantId": "tenantab-abcd-abcd-abcd-abcdabcdabcd",
    "user": {
      "name": "[email protected]",
      "type": "user"

Note: In the above JSON, id represents your Azure subscription id.

Next, set your active subscription:

az account set --subscription="${id}"

Then, create a Service Principal to allow GRAX to manage infrastructure:

az ad sp create-for-rbac -n "GRAX" --scopes "/subscriptions/${id}" --role "Owner"

This returns the required authorization data for your Service Principal, as JSON.

  "appId": "appidabc-abcd-efgh-abcd-efgh-abcdabcdabcd",
  "displayName": "John",
  "name": "http://example.com",
  "password": "password-abcd-efgh-abcd-efgh-abcdabcdabcd",
  "tenant": "tenantid-abcd-efgh-abcd-efgh-abcdabcdabcd"

Now you need to enter the following values into your Azure Connection details:

  1. Click Add Azure Connection.
  2. Fill the values as follows:
    1. Tenant ID: Use the "tenant" value from the JSON.
    2. Subscription ID: This is your Azure subscription id.
    3. Client ID: Use the "appId" value from the JSON.
    4. Client Secret: Use the "password" value from the JSON.
  3. Click Save