Automation basics
Understand the general concepts and best practices of automation in Atlassian cloud products.
AWS Identity and Access Management (IAM) is the mechanism AWS provides for managing permissions and resource access. It's very powerful and can be used to create fine-grained policies for any AWS resource.
Atlassian Automation uses IAM-based integrations for connecting to any non-SNS resource.
To do this you will need to:
Create a new AWS IAM role to use with Atlassian Automation
Grant the Atlassian Automation AWS account access to the role using a trust policy
Set up the required permissions on the role so that it can perform the actions you need
Connect to the IAM role
This will grant the Atlassian Automation account access to the role and the resources it has access to. You should ensure you appropriately restrict the permissions the role has to the minimum set necessary to execute your rules.
Atlassian Automation requires that your role has a name that begins with atlassian-automation-, so unless you have a role already setup for Atlassian Automation you’ll need to create a new one.
Sign into AWS Console.
Choose Roles from the navigation menu.
Choose Create role.
Select Other AWS Account.
Enter the Atlassian Automation AWS account ID: 815843069303.
Select Require external ID and enter an ID to use
This is used to increase the security of your Connection, and is considered best practice.
The ID isn’t secret, but we recommend you generate one using a password manager or similar.
Alternatively, you can set this up later using an ID that we can generate for you.
Click Next
If you know the permissions you need to apply you can do that now. Otherwise, click Next.
Enter a Role name and Description. The role name must begin with atlassian-automation-.
Review your configuration, and then select Create role.
If you didn’t follow the steps in the previous section (e.g. if you’re creating a role through CloudFormation or similar) you’ll need to ensure that your role allows the Atlassian Automation AWS Account to use it. Do this by specifying a trust policy that grants sts:AssumeRole to the AWS account ID 815843069303.
Your trust policy will look something like:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "815843069303"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<<your-external-id>>"
}
}
}
]
}
This policy can be read as “Allow the AWS Account with ID 815843069303 to AssumeRole into this role, but only if it supplies the ExternalId that matches <<your-external-id>>.
The most important parts of the policy are:
The Effect is Allow
The Principal is the Atlassian Automation AWS account ID 815843069303
The Action is sts:AssumeRole; and
The Condition specifies the sts:ExternalId parameter must equal some string you have chosen
The resource permissions that your role will need will depend on what actions you are using in your automation rule. The general approach, though, will be to add permissions to the role in the form of an inline resource policy.
We suggest inline policies here for ease of setup, but if you prefer managed policies you can use them just as easily.
It is important to define the minimum set of permissions that will allow your rules to execute.
Action: sns:Publish
Resource: SNS topic ARN
1
2
3
4
5
6
7
8
9
10
11
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allowpublish",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-west-1:111111111111:automation-rule-topic"
}
]
}
1
2
3
4
5
6
7
8
9
10
11
12
13
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DescribeRegions"
],
"Resource": "*"
}
]
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ssm:ListDocuments",
"ssm:GetDocument",
"ssm:StartAutomationExecution"
],
"Resource": "*"
}
]
}
Make sure you give the IAM role relevant permissions to perform all configured steps of the SSM document. For example, if the SSM document is AWS-RestartEC2Instance, then the required permission would be:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:DescribeInstanceStatus"
],
"Resource": "*"
}
]
}
Once you have a role setup with the correct permissions, the final step is to connect to it in an automation rule.
Navigate to Automation and select Create rule.
Select a trigger for your rule.
Select an AWS action.
Click Connect.
When prompted, enter the ARN of the role you wish to use. If you are using an External ID you will also need to provide it.
Click Save.
Was this helpful?