Configure AWS IAM for Jira automation

AWS Identity and Access Management (IAM) is the mechanism AWS provides for managing permissions and resource access. It's very powerful and can be used to create fine-grained policies for any AWS resource.

Atlassian Automation uses IAM-based integrations for connecting to any non-SNS resource.

To do this you will need to:

  1. Create a new AWS IAM role to use with Atlassian Automation

  2. Grant the Atlassian Automation AWS account access to the role using a trust policy

  3. Set up the required permissions on the role so that it can perform the actions you need

  4. Connect to the IAM role

This will grant the Atlassian Automation account access to the role and the resources it has access to. You should ensure you appropriately restrict the permissions the role has to the minimum set necessary to execute your rules.

1. Create a new IAM role

Atlassian Automation requires that your role has a name that begins with atlassian-automation-, so unless you have a role already setup for Atlassian Automation you’ll need to create a new one.

Highlight AWS Account
  1. Sign into AWS Console.

  2. Choose Roles from the navigation menu.

  3. Choose Create role.

  4. Select Other AWS Account.

  5. Enter the Atlassian Automation AWS account ID: 815843069303.

  6. Select Require external ID and enter an ID to use

    • This is used to increase the security of your Connection, and is considered best practice.

    • The ID isn’t secret, but we recommend you generate one using a password manager or similar.

    • Alternatively, you can set this up later using an ID that we can generate for you. 

  7. Click Next

  8. If you know the permissions you need to apply you can do that now. Otherwise, click Next.

  9. Enter a Role name and Description. The role name must begin with atlassian-automation-.

  10. Review your configuration, and then select Create role.

Highlight checkbox and JSON resources

2. Set up a trust policy to grant access to the Atlassian Automation AWS account

If you didn’t follow the steps in the previous section (e.g. if you’re creating a role through CloudFormation or similar) you’ll need to ensure that your role allows the Atlassian Automation AWS Account to use it. Do this by specifying a trust policy that grants sts:AssumeRole to the AWS account ID 815843069303.

trust policy to grant access to the Atlassian Automation AWS account

Your trust policy will look something like:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "815843069303" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<<your-external-id>>" } } } ] }

This policy can be read as “Allow the AWS Account with ID 815843069303 to AssumeRole into this role, but only if it supplies the ExternalId that matches <<your-external-id>>.

The most important parts of the policy are:

  • The Effect is Allow

  • The Principal is the Atlassian Automation AWS account ID 815843069303

  • The Action is sts:AssumeRole; and

  • The Condition specifies the sts:ExternalId parameter must equal some string you have chosen

3. Set up the required permissions for the actions you are using in your rule

The resource permissions that your role will need will depend on what actions you are using in your automation rule. The general approach, though, will be to add permissions to the role in the form of an inline resource policy.

 Set up the required permissions for the actions

We suggest inline policies here for ease of setup, but if you prefer managed policies you can use them just as easily.

It is important to define the minimum set of permissions that will allow your rules to execute.

Permissions required to send messages to SNS topic

managed policies

Action: sns:Publish
Resource: SNS topic ARN

1 2 3 4 5 6 7 8 9 10 11 { "Version": "2012-10-17", "Statement": [ { "Sid": "allowpublish", "Effect": "Allow", "Action": "sns:Publish", "Resource": "arn:aws:sns:us-west-1:111111111111:automation-rule-topic" } ] }

Permissions required to run SSM documents

To fetch AWS regions

1 2 3 4 5 6 7 8 9 10 11 12 13 { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:DescribeRegions" ], "Resource": "*" } ] }

To fetch and run SSM documents

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ssm:ListDocuments", "ssm:GetDocument", "ssm:StartAutomationExecution" ], "Resource": "*" } ] }

To perform steps in the SSM document

Make sure you give the IAM role relevant permissions to perform all configured steps of the SSM document. For example, if the SSM document is AWS-RestartEC2Instance, then the required permission would be:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:DescribeInstanceStatus" ], "Resource": "*" } ] }

4. Connect to the IAM role

Once you have a role setup with the correct permissions, the final step is to connect to it in an automation rule.

 

  1. Navigate to Automation and select Create rule.

  2. Select a trigger for your rule.

  3. Select an AWS action.

  4. Click Connect.

  5. When prompted, enter the ARN of the role you wish to use. If you are using an External ID you will also need to provide it. 

Connect to the IAM role

6. Click Save.

Run aws ssm

Still need help?

The Atlassian Community is here for you.