Skip to main content

AWS Account Connection

Unlike Azure and GCP which use OAuth 2.0 user authentication, AWS uses IAM role assumption for cross-account access. Users configure an IAM role in their AWS account with a trust relationship to the Multi-Cloud Manager’s AWS account, then provide the role ARN to connect.

Get AWS Configuration

Response

awsAccountId
string
The Multi-Cloud Manager’s AWS account ID that should be trusted by the user’s IAM role
externalId
string
External ID to use in the IAM role trust policy for additional securityValue: "multi-cloud-manager-app-v1-secret"
Example response: 
{
  "awsAccountId": "123456789012",
  "externalId": "multi-cloud-manager-app-v1-secret"
}

Error Responses

500 Internal Server Error 
{
  "error": "Konfiguracja serwera jest niekompletna (brak AWS_ACCOUNT_ID)"
}

Add AWS Account

Request Body

roleArn
string
required
ARN of the IAM role in the user’s AWS accountFormat: arn:aws:iam::{account-id}:role/{role-name}Example: "arn:aws:iam::987654321098:role/MultiCloudManagerRole"
Example request: 
{
  "roleArn": "arn:aws:iam::987654321098:role/MultiCloudManagerRole"
}

Response

201 Created - Success 
{
  "message": "Konto AWS 987654321098 pomyślnie dodane."
}

Session Data Created

accounts
array
Array of connected cloud provider accounts, with new AWS account added
provider
string
Always “aws” for AWS accounts
displayName
string
Display name in format: "AWS Account ({account_id})"
roleArn
string
The IAM role ARN provided by user
externalId
string
External ID used for role assumption
accountId
string
AWS account ID extracted from role ARN
Example account object: 
{
  "provider": "aws",
  "displayName": "AWS Account (987654321098)",
  "roleArn": "arn:aws:iam::987654321098:role/MultiCloudManagerRole",
  "externalId": "multi-cloud-manager-app-v1-secret",
  "accountId": "987654321098"
}

Error Responses

400 Bad Request - Missing Role ARN 
{
  "error": "Brak 'roleArn' w ciele żądania"
}
403 Forbidden - Access Denied 
{
  "error": "Odmowa dostępu. Sprawdź, czy ARN roli, ID Twojego konta oraz ExternalId są poprawne."
}
Returned when:
  • IAM role doesn’t exist
  • Trust policy doesn’t allow the Multi-Cloud Manager account
  • External ID doesn’t match
  • Insufficient permissions
400 Bad Request - AWS Error 
{
  "error": "Błąd AWS: {error details}"
}
500 Internal Server Error 
{
  "error": "Wystąpił nieoczekiwany błąd: {error details}"
}

AWS Connection Flow

Step 1: Get Configuration

Client calls GET /api/account/aws/config to retrieve:
  • Multi-Cloud Manager’s AWS account ID
  • External ID for trust policy

Step 2: User Creates IAM Role

User creates an IAM role in their AWS account with: Trust Policy: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::{server_account_id}:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "multi-cloud-manager-app-v1-secret"
        }
      }
    }
  ]
}
Permissions Policy: Attach policies granting required permissions (e.g., EC2 read access, VPC management, etc.)

Step 3: Add Account

Client calls POST /api/account/aws/add with role ARN.

Step 4: Role Assumption and Verification

Backend performs the following steps:
  1. Assume the role using STS: 
    sts_client = boto3.client(
    'sts',
    aws_access_key_id=AWS_SERVER_ACCESS_KEY_ID,
    aws_secret_access_key=AWS_SERVER_SECRET_KEY,
    region_name='us-east-1'
)

assumed_role_object = sts_client.assume_role(
    RoleArn=role_arn_from_user,
    RoleSessionName="MultiCloudManagerVerification",
    ExternalId=APP_EXTERNAL_ID
)
  2. Extract temporary credentials: 
    temp_credentials = assumed_role_object['Credentials']
# AccessKeyId, SecretAccessKey, SessionToken
  3. Verify permissions by calling EC2 DescribeRegions: 
    ec2_client = boto3.client(
    'ec2',
    aws_access_key_id=temp_credentials['AccessKeyId'],
    aws_secret_access_key=temp_credentials['SecretAccessKey'],
    aws_session_token=temp_credentials['SessionToken'],
    region_name='us-east-1'
)
ec2_client.describe_regions()
  4. Extract account ID from role ARN: 
    user_account_id = role_arn_from_user.split(':')[4]
  5. Create account object and add to session
  6. Update session accounts:
    • If account with same role ARN exists, update it
    • Otherwise, append new account

Account Management

Duplicate Prevention: If an AWS account with the same role ARN already exists in the session, it will be updated instead of creating a duplicate. Security: The external ID provides additional security by preventing confused deputy attacks. The user’s IAM role should require this specific external ID in the trust policy.

Environment Configuration

The following environment variables must be configured:
AWS_ACCESS_KEY_ID
string
required
Access key ID for Multi-Cloud Manager’s AWS account (server credentials)
AWS_SECRET_ACCESS_KEY
string
required
Secret access key for Multi-Cloud Manager’s AWS account
AWS_ACCOUNT_ID
string
required
AWS account ID of Multi-Cloud Manager (used in trust policies)

Code Reference

Implementation in backend/auth/aws_auth.py:15-98 External ID constant: 
APP_EXTERNAL_ID = "multi-cloud-manager-app-v1-secret"
Role assumption: 
assumed_role_object = sts_client.assume_role(
    RoleArn=role_arn_from_user,
    RoleSessionName="MultiCloudManagerVerification",
    ExternalId=APP_EXTERNAL_ID
)
Permission verification: 
ec2_client.describe_regions()  # Verifies basic EC2 permissions

Build docs developers (and LLMs) love

Get started for freeTalk to us