Step 1: Download IAM role IaC template (API)
Before you can create a Cloud Environment, you must download an Infrastructure as Code (IaC) template declaring a read-only Identity and Access Management (IAM) role that Snyk can assume to scan the configuration of resources in your Amazon Web Services (AWS) account.
Retrieve the IaC template
Send a request to the Snyk API in the follwoing format, replacing
INPUT-TYPE
withtf
for Terraform orcf
for CloudFormation:
Understand the API response
The response is a JSON document like the ones below (trimmed for length).
Example response with Terraform configuration:
Example response with CloudFormation template:
Unescape the JSON
The data.attributes.data
field in the preceding output is an escaped JSON string containing the Terraform or CloudFormation template with the IAM role and policy.
Before you can use the template to provision the resources, you need to unescape the JSON. This can be accomplished in the following ways:
Use jq
jq
When you are submitting the API request to retrieve the template, append the following to the end of the command:
This will place the properly-formatted template into the file
snyk_iac_template
in your current working directory.Rename the file with a
.tf
extension (Terraform) or.yaml
(CloudFormation).
Transform the content manually
Copy the contents of
data.attributes.data
from the API response, excluding the double quote at the very beginning and the very end of the value. You should end up with a long string starting withdata \"aws_iam_policy_document\"
(Terraform) orAWSTemplateFormatVersion
(CloudFormation).Save the unescaped output as a new
.tf
file (Terraform) or.yaml
file (CloudFormation).
Optional: Change IAM role name
By default, the name of the Snyk IAM role is snyk-cloud-role
. If your Organization has specific role naming requirements, you have the option to change this name in the Terraform or CloudFormation template.
In Terraform, the role name is on line 19:
In CloudFormation, the role name is on line 7:
What's next?
Last updated