Recap You have downloaded the Terraform or Amazon Web Services (AWS) CloudFormation template declaring the Identity and Access Management (IAM) role for Snyk. Now you need to provision the infrastructure.
The IAM role you will provision has the following policies attached to it:
The AWS-managed SecurityAudit read-only policy.
A supplemental inline policy granting required read permissions not covered by SecurityAudit.
The role also has a trust policy that specifies an external ID. Snyk generates this unique ID for your organization to prevent other parties from assuming the role without the ID, even if they have your role Amazon Resource Name (ARN).
Create the IAM role with Terraform or CloudFormation
You can create the IAM role using one of the following tools, according to the type of template you downloaded from Snyk:
Terraform: Terraform CLI
Create the IAM role with Terraform
In your terminal, navigate to the directory containing the Snyk IAM role Terraform file (named
snyk-permissions-aws.tfif it has been downloaded from the Snyk Web UI).
Using the Terraform CLI, initialize the Terraform Project:
3. Review and apply the Terraform plan:
yes when Terraform asks if you want to perform the actions.
Terraform then creates the IAM role. When the role has been created, you will see the following output:
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
Create the IAM role with AWS CLI
In your terminal, navigate to the directory containing the Snyk IAM role CloudFormation file (named
snyk-permissions-aws.ymlif it has been downloaded from the Snyk Web UI).
Using the AWS CLI, launch the CloudFormation stack, replacing
snyk-cloud-rolewith the name of your IAM role if you changed it and
snyk-permissions-aws.ymlwith the name of your file:
aws cloudformation create-stack \
--stack-name snyk-cloud-role \
--capabilities CAPABILITY_NAMED_IAM \
3. AWS then creates the IAM role. This typically takes about a minute. To check if it is finished, get the stack status, replacing
snyk-cloud-role with the name of your IAM role:
aws cloudformation describe-stacks \
--stack-name snyk-cloud-role \
If the output says
"CREATE_COMPLETE", AWS has finished creating your role.
Create the IAM role using the AWS Management Console
4. Select With new resources (standard) from the drop-down menu.
5. On the Create stack page, in the Specify template section and select Upload a template file.
6. Click the Choose file button that appears and select your CloudFormation file containing the Snyk IAM role.
7. Select Next.
8. On the Specify stack details page, in the Stack name section, enter a stack name, such as
9. Select Next.
10. On the Configure stack options page, enter tags if desired and keep the rest of the defaults.
11. Select Next.
12. On the Review page, in the Capabilities section at the bottom, check the box I acknowledge that AWS CloudFormation might create IAM resources with custom names.
13. Select Create stack.
14. AWS launches the stack, and you'll see a page with stack details. You can select the Refresh button to refresh its status:
If the Status column says
CREATE_COMPLETE, AWS has finished creating the IAM role.
The next step is to create and scan the Cloud Environment. See Step 3: create and scan a Cloud Environment (Web UI).