Step 2: Create the Snyk IAM role
Recap You have downloaded the Terraform or Amazon Web Services (AWS) CloudFormation template declaring the Identity and Access Management (IAM) role for Snyk. Now you need to provision the infrastructure.
The process to create the Snyk IAM role is the same whether you are using the Snyk Web UI or Snyk API to onboard your AWS account.
The IAM role you will provision has the following policies attached to it:
The AWS-managed SecurityAudit read-only policy.
A supplemental inline policy granting required read permissions not covered by SecurityAudit.
The role also has a trust policy that specifies an external ID. Snyk generates this unique ID for your organization to prevent other parties from assuming the role without the ID, even if they have your role Amazon Resource Name (ARN).
Create the IAM role with Terraform or CloudFormation
You can create the IAM role using one of the following tools, according to the type of template you downloaded from Snyk:
Terraform: Terraform CLI
AWS CloudFormation: AWS CLI or AWS Management Console
Create the IAM role with Terraform
Before you use the Terraform CLI, ensure you configure it to use your AWS credentials.
In your terminal, navigate to the directory containing the Snyk IAM role Terraform file (named
snyk-permissions-aws.tf
if it has been downloaded from the Snyk Web UI).Using the Terraform CLI, initialize the Terraform Project:
3. Review and apply the Terraform plan:
4. Enter yes
when Terraform asks if you want to perform the actions.
Terraform then creates the IAM role. When the role has been created, you will see the following output:
Create the IAM role with AWS CLI
Before you use the AWS CLI, ensure you configure it to use your AWS credentials.
In your terminal, navigate to the directory containing the Snyk IAM role CloudFormation file (named
snyk-permissions-aws.yml
if it has been downloaded from the Snyk Web UI).Using the AWS CLI, launch the CloudFormation stack, replacing
snyk-cloud-role
with the name of your IAM role if you changed it andsnyk-permissions-aws.yml
with the name of your file:
3. AWS then creates the IAM role. This typically takes about a minute. To check if it is finished, get the stack status, replacing snyk-cloud-role
with the name of your IAM role:
If the output says "CREATE_COMPLETE"
, AWS has finished creating your role.
Create the IAM role using the AWS Management Console
Log in to the AWS Management Console.
Navigate to CloudFormation.
Select the Create stack button:
4. Select With new resources (standard) from the drop-down menu.
5. On the Create stack page, in the Specify template section and select Upload a template file.
6. Click the Choose file button that appears and select your CloudFormation file containing the Snyk IAM role.
7. Select Next.
8. On the Specify stack details page, in the Stack name section, enter a stack name, such as snyk-cloud-role
.
9. Select Next.
10. On the Configure stack options page, enter tags if desired and keep the rest of the defaults.
11. Select Next.
12. On the Review page, in the Capabilities section at the bottom, check the box I acknowledge that AWS CloudFormation might create IAM resources with custom names.
13. Select Create stack.
14. AWS launches the stack, and you'll see a page with stack details. You can select the Refresh button to refresh its status:
If the Status column says CREATE_COMPLETE
, AWS has finished creating the IAM role.
What's next?
The next step is to create and scan the Cloud Environment. See Step 3: create and scan a Cloud Environment (Web UI).
Last updated