AWS Integration
ops0 connects to AWS using either IAM access keys or a cross-account role. For most organizations, Assume Role is the preferred option because it keeps access scoped and avoids storing long-lived credentials.
Adding the Integration
Navigate to Integrations
Go to Settings > Integrations > Add Integration.
Select AWS
Choose AWS from the provider list.
Choose an Authentication Method
Select either Access Keys or Assume Role.
Enter Credentials
Provide the required AWS identifiers and region settings.
Connect
Click Connect to verify the integration.
Authentication Methods
Assume Role
Recommended for cross-account access, stronger boundaries, and easier rotation.
Access Keys
Use an IAM access key and secret when role assumption is not available.
Access Keys Method
| Field | Required | Description |
|---|---|---|
| Name | Yes | Integration name |
| Access Key ID | Yes | IAM access key |
| Secret Access Key | Yes | IAM secret key |
| Default Region | Yes | Default AWS region |
Assume Role Method
| Field | Required | Description |
|---|---|---|
| Name | Yes | Integration name |
| Role ARN | Yes | IAM role to assume |
| External ID | Yes | Security identifier used in the trust policy |
| Default Region | Yes | Default AWS region |
Use Assume Role for production environments. It provides better security boundaries and simplifies credential rotation.
Setting Up Assume Role
Create the Role
In the AWS Console, create an IAM role for ops0.
Add the Trust Policy
Allow ops0 to assume the role using the AWS account and external ID provided during setup.
Attach Permissions
Grant the role the discovery or deployment permissions you want ops0 to use.
Copy the Role ARN
Paste the Role ARN into the integration form in brew.ops0.ai.
Trust Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "your-external-id"
}
}
}
]
}
Required AWS Permissions
For IaC Deployments
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"s3:*",
"iam:*",
"rds:*",
"lambda:*"
],
"Resource": "*"
}
]
}
For Discovery Only
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"s3:List*",
"rds:Describe*",
"lambda:List*"
],
"Resource": "*"
}
]
}
Troubleshooting
Access Denied
Verify the trust policy includes the correct AWS account ID and external ID.
Role Not Found
Confirm the IAM role exists and the copied ARN is exact.
Invalid External ID
Use the value shown in ops0 rather than a custom identifier.