To connect your Amazon Web Service (AWS) cloud account with your LocalOps account you must create a Connection in LocalOps.
A connection represents LocalOps’s access to the target cloud account. All operations performed by LocalOps on a target cloud account, are done through its corresponding connection.
We create a new cloudformation stack to repesent our acesss. The stack will create a new OIDC provider, IAM role and attach it with relevant permissions for us to access your AWS account. Please read further below to know how this works.
Please ask them not to change any value in “Create stack” screen inside AWS. Each of the values represent your account and they must not be changed
Once the stack creation is complete, you can come back to LocalOps connections page to see the connection becoming Active.
We create a cloudformation stack in the target AWS account to create a new OIDC provider, IAM role and attach it with necessary permissions. Please read further below to know how this works.
If you are deploying your app(s) on your customer’s cloud environment, we recommend asking your customer to create a brand new AWS sub-account to connect with LocalOps. This is a best practice to isolate other resources they may have in their existing AWS account. You can connect resources/services from any two AWS accounts via VPC peering, later when required.
If you have a pre-existing AWS Organization setup, follow these instructions to create a new AWS sub-account. If not, sign up for a new AWS account here - AWS Signup.
LocalOps connects to the target AWS account through a secure key-less role-based method recommended by AWS. This method is secure because there are no long-term access keys generated/used during the access. All access is powered by short term keys generated by AWS and given to LocalOps at the specific time of access, every single time.
For this to work:
In the steps outlined in “Create a new connection” section, a cloudformation stack is created. This stack does #1 and #2 above to establish a connection with your AWS account.
LocalOps requires Administrator access in the AWS account you connect. This is automatically setup when you follow the 1-click setup process outlined above.
If you require LocalOps to work with lesser permissions, contact us at help@localops.co to discuss your next steps. You may have to manually set up LocalOps in your cloud with a specific set of permissions, although we don’t see this as future proof as we would expand our automation capabilities at LocalOps continuously.
After connecting the AWS account, DO NOT:
Remove/modify the cloudformation stack. It holds the OIDC provider, IAM policy and IAM role to keep the cloud connection alive.
Remove/modify the IAM role or policy. Again, changes here will break the connection LocalOps has with the target aws account.
You can sign in to LocalOps and delete a connection any time.
When you delete a connection, we permanently delete all credentials we hold for that specific cloud account. In addition, you can ensure a full disconnect by deleting the CloudFormation stack we created earlier when setting up the connection.
To delete CloudFormation stack in the target AWS account:
Ops-..
, This is the stack we created earlier.This will in turn delete all AWS resources created by the CloudFormation stack. Including IAM role, IAM policy and the OIDC provider, which we used earlier to get access to your AWS account.