Skip to main content
Amazon Web Services

Learn how to set up AWS IAM role integration in Torq: Copy IDs, create the role manually or with CFT, etc.

Updated over 6 months ago

The AWS integration uses an AWS IAM role that you define in your AWS IAM configuration to take actions in Torq as an approved user for the assets and APIs provided by the Amazon Web Services platform. AWS integrations are used for AWS and AWS S3 steps in Torq workflows.

Get IDs in Torq

To create an IAM role in AWS, you'll need the Torq Account ID and the AWS External ID, which you'll copy from the AWS integration card in Torq. At this point, you're only copying those IDs; you're not creating the AWS integration in Torq.

  1. Go to the Integrations page and locate the AWS card.

  2. Click Add.

  3. Copy the Torq Account ID. You'll need this when you create the IAM role in AWS.

  4. Copy the AWS External ID. You'll need this when you create the IAM role in AWS.

Create an IAM Role in AWS

There are two ways to create an IAM role in AWS, manually (following the steps below) or using a CloudFormation Template (CFT).

  1. Sign in to the AWS Management Console and access IAM.

  2. Select Roles > Create role.

  3. Define the new role.

    1. Under Select type of trusted entity, select Another AWS account.

    2. In the Account ID field enter the Torq Account ID you copied in the previous step.

    3. Select the checkbox Required external ID.

    4. In the External ID field enter the AWS External ID you copied in the previous step.

      Screenshot showing how to add a new IAM role in AWS.
  4. Click Next: Permissions.

  5. Create a policy (set of AWS permissions) to assign to the user, group, or role that can use AWS services in Torq steps. You'll get an error if you don't assign sufficient permissions required to run a specific step.

  6. Click Next: Tags.

  7. Enter tags as needed and click Next: Review.

  8. Enter a meaningful name for the policy and click Create policy.

    1. The name must be unique in your AWS account.

    2. Policy names are case-insensitive.

    3. Policy names can't be changed after the policy is created.

  9. Go back to the previous tab for the Create role page and click the console's refresh button.

  10. Filter by the policy name you created, select the checkbox next to the policy and click Next: Review.

  11. On the Create Role - Review page, enter a role name.

  12. Review the role details and click Create role.

  13. After you're redirected to the IAM > Roles console, enter the name of the role you created and then select the role.

  14. Copy the Role ARN. You'll need this when you create the AWS integration in Torq.

Create an IAM Role in AWS Using a CFT

The role name is required to create an AWS integration in Torq. The CloudFormation Template contains all necessary configurations. During this process, you'll have two browser tabs open, one for Torq and one for AWS.

  1. Log in to your AWS account.

  2. Go to CloudFormation > Stacks and create a new stack.

  3. In the Prerequisite - Prepare template section, select the Template is ready checkbox.

  4. In the Specify template section, select the Upload a template file checkbox.

  5. Click Next.

  6. Enter a meaningful name for the stack.

  7. In a new browser tab, log in to Torq.

  8. Go to Build > Integrations > AWS, and click Add. Keep this tab open. You'll copy and paste between the two.

  9. Copy the Torq Workspace ID and paste it into the TorqWorkspaceID field in AWS.

  10. Copy the AWS External ID and paste it into the AWSExternalID field in AWS.

  11. In AWS, for the Permission Type field, select EC2

  12. Click Next until you reach the final page.

  13. Select the acknowledgment checkbox in the Capabilities section (shaded blue) and click Submit.

  14. Filter the stacks table by the status In progress. You should be able to see stack creation status.

  15. Refresh the Events table until the stack's status is CREATE_COMPLETE.

  16. Go to the Outputs tab and copy the RoleArn value. It will follow this pattern: arn:aws:iam:::role/.

  17. In Torq, paste the RoleArn value in the AWS Role Name field and click Add

Create an AWS Integration in Torq

  1. Go to Build > Integrations > Steps > AWS, and click Add.

  2. Enter a meaningful name for the integration so you can identify it when calling it in a workflow.

  3. Enter the AWS Role ARN that you copied in the previous step. It should look like this: arn:aws:iam::123456789012:role/service-role/PerformMitigationOperations

Did this answer your question?