I'll do it myself

To manually connect your AWS Account using the “I’ll do it myself” method, you will need to:

  1. Log Into Your AWS Management Console
  2. In Open Raven, Go to Configuration and AWS Accounts and Add New Account
  3. Enter Your AWS Account ID
  4. Select “Create Manually” and click “Next”
  5. Choose “I'll do it myself”
  6. Go to Your AWS Management Console and Create a New Role
  7. Add Policies to the Role
  8. Add Tags (Optional)
  9. Ensure Role Name Matches Open Raven Org ID
  10. Create Role
  11. Add Inline Policies
  12. Validate the Connection on Open Raven.

Let's get started.

Step 1. Log Into Your AWS Management Console

To add your AWS Account to Open Raven, you will first need to log into your AWS Management Console.

Step 2. In Open Raven, Go to Configuration and AWS Accounts and Add New Account

In a separate tab, log into your Open Raven account.

In the navigation menu on the left side of the page, click on "Configuration."

Then, select “AWS Accounts” from that same navigation menu.

Next, click on the blue “Add AWS Account” button to start connecting your account.

Step 3. Enter Your AWS Account ID

Enter your 12-digit AWS Account ID (which you’ll find in your AWS Management Console).

Do not make any changes to the Open Raven Org ID and External ID fields. Both are static values and should remain exactly as they are.

Step 4. Select “Create Manually” and Click “Next”

Next, click “Create Manually.”

Then, click on the blue “Next” button at the bottom of the page.

Step 5. Choose “I'll do it myself”

You will now see three options:

Click on the “I’ll do it myself” option to customize and control how you roll out the required AWS IAM Role to your environment.

Step 6. Go to Your AWS Management Console and Create a New Role

Go to your AWS Management Console that you have already preloaded in another tab.

Under “AWS services,” click on “IAM.” You will be redirected to the “IAM dashboard." On the left side navigation page, click “Roles” and “Create Role.”

In the “Create Role” page, click “Another AWS account” (under “Select type of trusted entity.”)

Then, fill out the Account ID. Account ID is 230888199284 and does not vary from customer to customer. It is Open Raven’s SaaS Account.

Next, enable “Require external ID” and fill in External ID. You will find the External ID in the Open Raven tab you have already open.

Click “Next Permissions” at the bottom of the page.

Step 7. Add Policies to the Role

Now, you can attach policies to your new role. We will add the “readonlyaccess” and the “awslambdavpc” policies to the role.

Start by typing readonlyaccess into the search bar and look for the "ReadOnlyAccess” policy in the scroll-down menu. When you find it, click on it.

Do the same for the "awslambdavpc” policy — type in awslambdavpc into the search bar and look for the “AWSLambdaVPCAccessExecutionRole.” When you find it, click on it to add it to the role.

Click the “Next: Tags” button at the bottom of the page.

Step 8. Add Tags (Optional)

The “Add tags” section comes next.

If tags are important for your environment, go ahead and add them. If not, skip this section by clicking the “Next: Review” button at the bottom of the page.

Step 9. Ensure Role Name Matches Open Raven Org ID

You will now see the “Review” page.

The Role Name has to match a very specific pattern. The Role Name is openraven-cross-account-00g1l57odvwYD0QQ90h8 (i.e., openraven-cross-account- + Open Raven Org ID available via the Open Raven tab you have open).

Note: If the Role Name is incorrect, the trust policies WILL NOT work.

Step 10. Create Role

Click the “Create role” button.

Your role is now created, and you will be redirected to the Identity and Access Management (IAM) page on your AWS Management Console.

Step 11. Add Inline Policies

Click on the role you just created to see a summary of the role. Click “Add inline policy.”

On the “Create policy” page, toggle on JSON and paste in the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "lambda:CreateFunction",
                "lambda:InvokeFunction",
                "lambda:GetFunction",
                "lambda:DeleteFunction"
            ],
            "Resource": [
                "arn:aws:lambda:*:729367951113:function:dmap-*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": "iam:PassRole",
            "Resource": [
                "arn:aws:iam::729367951113:role/openraven-cross-account-00g1l57odvwYD0QQ90h8"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Effect": "Deny",
            "NotResource": [
                "arn:aws:logs:*:*:*debug*"
            ]
        }
    ]
}

You will need to swap out some of the information in the above:

  • 729367951113 should be replaced with your AWS Account Id.
  • 00g1i57odvwYD0QQ90H8 should be replaced with your group ID.

Click the “Review policy” button.

In the “Review policy” page, give the policy a name, for example, “lambda-access.”

Click the “Create policy” button.

Now that you’ve assigned your role all the policies it needs make sure that everything that needs the ability to execute against it has that ability to do so. To do that, click on “Trust relationships” and then the blue “Edit trust relationship” button.

On the “Edit trust relationship” page, delete the old code and instead paste in the following:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::230888199284:role/orvn-00g1l57odvwYD0QQ90h8-cross-account"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "fa223b63-5a64-4344-a0d0-2737aba36224"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Click “Update Trust Policy.”

Step 12. Validate the Connection on Open Raven

Go back to Open Raven and click on “I created the connection.”

You should now see the account under “AWS Accounts” with the status “Account Found.”

🚧

Any questions?

If you have questions while connecting your AWS Account to Open Raven or need assistance, please contact the Open Raven support team via email at [email protected]


What’s Next