Skip to main content

AWS IAM + Indent Webhook

This guide explains how to deploy an Indent webhook to the cloud for managing access to AWS IAM Groups for a single AWS Account. This webhook can be run as an AWS Lambda.

Take a look at the direct code examples that run in these webhooks:

This page assumes that you or someone on your team has already completed the Quickstart. If you haven't already, we would recommend you check it out - it should take 5 minutes. By the end you should have a working Space you can integrate with this webhook.

Prerequisites

Overview

We're going to pull AWS IAM Groups into Indent (optionally, you can import groups manually) then set up automated change management. This webhook can only be deployed as an AWS Lambda.

Step 0: Configure your cloud provider

Let's get all the AWS-specific items ready before getting started:

Step 1: Deploy the pull update webhook

c

  1. Download the example:
curl https://codeload.github.com/indentapis/examples/tar.gz/main | tar -xz --strip=3 examples-main/webhooks/pull/terraform-aws-iam-pull-webhook
cd terraform-aws-iam-pull-webhook

Follow the instructions in the GitHub README to complete the deployment process.

  1. After you finish deploying your webhook, enter the HTTP endpoint from AWS Lambda as the Webhook URL field in your new Webhook.
  2. Save the Webhook.
  3. Go to your Resources and click the dropdown arrow next to New
  4. Select Pull Update and a modal window appears with a list of resources you can pull.
  5. Choose the slider for AWS Groups then press Start Pulling Updates

The webhook will update your Resources with all the AWS IAM Groups for your AWS Account. Now when you search "aws" on the Resources page search bar, you will see all your AWS Groups as available Resources. Next, you'll automate group membership changes when access is granted or revoked.

  1. Navigate to Resources again and click the user Resource you want to allow access to AWS IAM.
  2. In the Resource page, add a new Label to the user.
    • Under Label name, enter "aws/username"
    • Under Label value enter the user's AWS IAM Username.
    • Save the Resource.

You can also update users in bulk. Select a list of users and export the list to a CSV where you can edit the user labels.

Step 3: Deploy the change webhook

Download the example:

curl https://codeload.github.com/indentapis/examples/tar.gz/main |tar -xz --strip=3 examples-main/webhooks/change/terraform-aws-iam-webhook
cd terraform-aws-iam-webhook

Follow the instructions in the GitHub README to complete the deployment process, then save the new webhook in your Indent configuration.

Step 4: Configure your Indent policies

  1. Click Apps in the Indent Dashboard and click on your communication app.

  2. Open Access Request Rules and add aws.iam.v1.Group to the "Kinds of Resources," your app can manage.

    • Alternatively, you can add individual Groups based on Resource ID in this section.
  3. Configure the approvers for granting access to your AWS IAM Groups.

Step 5: Make a test request

  1. Go to Request Access.
  2. Select your AWS IAM Group from the dropdown and enter a reason for access.
  3. Once the access is approved, check the group's page to confirm membership.

Congrats! You’ve just configured requesting and managing AWS IAM Group access with Indent.


Import groups manually

  1. Sign into your Indent Space.
  2. Go to your Resources.
  3. Click +New to create a new Resource:
    • Under Resource Kind, type in "aws.iam.v1.Group"
    • Enter the name of your AWS IAM Group.
    • Under Resource ID enter the ARN of your AWS IAM Group.
How do I get my AWS Group's ARN?

  • Navigate to your AWS IAM Console page.
  • Click on the group you want to add to Indent.
  • Copy the ARN from the Group Details page and add it to your resource.