> For the complete documentation index, see [llms.txt](https://documentation.grax.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://documentation.grax.com/platform/connections/aws-connection.md). # AWS Connection GRAX Managed Deployments require a cross-account IAM role with the permissions to create and manage the GRAX Application's infrastructure in a dedicated AWS Cloud account. You can create this IAM role automatically with GRAX's IAM Quick Deploy or manually create the required IAM role. ![New AWS Connection](/files/AueIaGSLA2TDIpCYGb2o) **External ID:** A Unique ID generated by GRAX for this connection which is used when creating the IAM role's Trust Policy See this [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) for details. **Role ARN:** The [Amazon Resource Name](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) for the cross-account IAM role you are providing to GRAX. ## AWS IAM Quick Deploy Ensure you are logged into your dedicated AWS account on another tab and click the "IAM Role Quick Deploy" button. GRAX will create a CloudFormation stack for an IAM cross-account role with the required permissions. 1. Ensure you are logged into the target AWS account with an Admin level user or a user with access to create IAM cross-account roles. 2. Click the IAM role Quick Deploy button. GRAX will open AWS in a new tab and load our certified [CloudFormation template](https://s3.amazonaws.com/grax-public-templates/master/cloudformation/grax-role.yml) for the cross-account IAM role. 3. Deploy the stack by clicking "Create Stack" in the lower right corner. You can also preview the IAM role and associated policies by creating a change set prior to creating the stack. 4. After you create the stack or execute the change set, click on the Resources tab in the stack to view progress. After a few minutes the AssumeRole resource will have a status of CREATE\_COMPLETE. You may need to refresh the page. 5. Click on the link for `grax-platform` in the Physical ID column to open the newly created role. 6. Copy the ARN value from this page and paste it into the ARN role field in GRAX Platform. 7. Click Save in GRAX Platform. ## AWS IAM Manual Creation While our Quick Deploy process is highly recommended, your AWS Administrator can manually create the IAM role for GRAX if they choose to do so. The IAM role must have the following: * Trust Policy allowing `sts:AssumeRole` to GRAX AWS Account 999875163122. * A Trust Policy condition limiting to the External ID (copied from the Platform Connection referenced above) is highly recommended. * Permission to Create, List, and Delete all the necessary GRAX infrastructure. * The AdministratorAccess policy is the most straightforward way to accomplish this. {% hint style="warning" %} GRAX Support cannot provide assistance with AWS IAM roles not created from our [CloudFormation template](https://s3.amazonaws.com/grax-public-templates/master/cloudformation/grax-role.yml). {% endhint %} Our Platform Connections [documentation](/platform/connections/platform-connections.md) reviews GRAX Security practices and goes into more detail on best practices for this configuration. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://documentation.grax.com/platform/connections/aws-connection.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.