5.0
MSK portal
Secure AWS installation
For secure integration with Amazon Web Services, AWS IAM role delegation is used. To learn more about role delegation, refer to the AWS IAM Best Practices guide .
IAM Role delegation
A role in your AWS account will specify what permissions the IAM user is allowed to temporarily assume to complete the installation.
The diagram below shows how the delegation of permissions using an IAM role works:
External ID
An external ID will allow Lenses to assume the installation role and assert the circumstances in which it is operating. It also provides a way for you (the account owner) to permit the role to be assumed only under specific circumstances.
AWS Secrets Manager
The information for the Role and the External ID are stored securely in AWS Secrets Manager following the AWS compliance standards .
Setup Role Delegation
To start sign-in using your portal account
1) Click on Launch CloudFormation in AWS
2) Login to the AWS console.
3) On the CloudFormation page, create a new stack. Change the role name to match your organizations conventions.
4) Update the Lenses.io integration tile with the IAM role name and account ID used to create the CloudFormation stack. You can copy from CloudFormation outputs.
Security summary
The following diagram depicts how Lenses will securely use that external ID only when acting on your behalf.
And this is how a unique ExternalID specifying the trust policy looks like this:
{ "Version": "2020-09-09", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": {"AWS": "Lenses.io AWS Account ID"}, "Condition": {"StringEquals": {"sts:ExternalId": "Your unique external id" }} } }