Step 1: Download IAM role IaC template (API)

Before you can create a Snyk Cloud Environment, you must download an Infrastructure as Code (IaC) template declaring a read-only Identity & Access Management (IAM) role that Snyk can assume to scan the configuration of resources in your Amazon Web Services (AWS) account.

You will use this IaC template to provision the role in Step 2: Create the Snyk IAM role.

You can choose the template format: either Terraform HCL or AWS CloudFormation. The IAM permissions are identical in both, so pick the format you are most comfortable working with.

Retrieve the IaC template

To retrieve the IaC template from the Snyk API, you need the API token for an Organization-level service account with an Org Admin role.

In the Snyk Web UI, navigate to Settings (cog icon) > General > Organization ID and copy your Organization ID.
Send a request to the Snyk API in the below format, replacing INPUT-TYPE with tf for Terraform or cf for CloudFormation:

curl -X POST \
'https://api.snyk.io/rest/orgs/YOUR-ORGANIZATION-ID/cloud/permissions?version=2022-12-21~beta' \
-H 'Authorization: token YOUR-API-TOKEN' \
-H 'Content-Type:application/vnd.api+json' -d '{
    "data": {
        "attributes": {
            "type": "INPUT-TYPE",
            "platform": "aws"
        },
        "type": "permissions"
    }
}'

The example above uses curl, but you can use any API client, such as Postman or HTTPie.

Understand the API response

The response is a JSON document like the ones below (trimmed for length).

Example response with Terraform configuration:

{
  "jsonapi": {
    "version": "1.0"
  },
  "data": {
    "id": "00000000-0000-0000-0000-000000000000",
    "type": "permissions",
    "attributes": {
      "data": "data \"aws_iam_policy_document\"<...>",
      "type": "tf"
    }
  }
}

Example response with CloudFormation template:

{
  "jsonapi": {
    "version": "1.0"
  },
  "data": {
    "id": "00000000-0000-0000-0000-000000000000",
    "type": "permissions",
    "attributes": {
      "data": "AWSTemplateFormatVersion:<...>",
      "type": "cf"
    }
  }
}

Unescape the JSON

The data.attributes.data field in the output above is an escaped JSON string containing the Terraform or CloudFormation template with the IAM role and policy.

Before you can use the template to provision the resources, you need to unescape the JSON. This can be accomplished in the following ways:

Use `jq`

Download and install jq.
When submitting the API request during template retrieval, append the following to the end of the command:
```
| jq -r .data.attributes.data > snyk_iac_template
```
This will place the properly-formatted template into the file snyk_iac_template in your current working directory.
Rename the file with a .tf extension (Terraform) or .yaml (CloudFormation).

Transform the content manually

Copy the contents of data.attributes.data from the API response, excluding the double quote at the very beginning and the very end of the value. You should end up with a long string starting with data \"aws_iam_policy_document\" (Terraform) or AWSTemplateFormatVersion (CloudFormation).
Paste the string into a tool such as FreeFormatter.com to unescape the JSON.
Save the unescaped output as a new .tf file (Terraform) or .yaml file (CloudFormation).

Optional: Change IAM role name

By default, the name of the Snyk IAM role is snyk-cloud-role. You can optionally change this name in the Terraform or CloudFormation template, if your organization has specific role naming requirements.

In Terraform, the role name is on line 19:

  name                = "snyk-cloud-role"

In CloudFormation, the role name is on line 7:

      RoleName: snyk-cloud-role

What's next?

The next step is to create the IAM role and policy for Snyk Cloud using the template you downloaded.

PreviousSnyk Cloud for AWS: API NextStep 2: Create the Snyk IAM role (API)

Last updated 2 years ago

Was this helpful?