Alethia Labs
Integrations

AWS Integration

Cross-Account IAM Role setup with CloudFormation or Terraform.

AWS Integration

AWS integration uses a Cross-Account IAM Role with an External ID. The Runner assumes this role at runtime to access your AWS account — no access keys are stored. See Security Architecture for the full security model.

Setup Methods

Copy External ID

Alethia generates a unique External ID and displays it. This ID is shared between your IAM role and the platform to prevent confused deputy attacks.

Launch CloudFormation Stack

Click "Launch Stack in AWS" — this opens the AWS Console with a pre-filled CloudFormation template that creates:

  • AlethiaProvisionerRole — IAM role with permissions for all supported resource types
  • Trust policy restricting who can assume the role to the platform's AWS account
  • External ID condition in the trust policy

Acknowledge and Create

In the AWS Console, acknowledge that CloudFormation will create IAM resources, then click "Create stack."

Copy Role ARN

After the stack completes (~1 minute), go to the Outputs tab and copy the Role ARN.

Paste into Alethia

Paste the Role ARN into the Alethia form and click "Complete."

Copy External ID

Same as CloudFormation — Alethia provides the External ID.

Apply Terraform

Use the provided Terraform snippet to create the IAM role with the External ID in your AWS account.

Copy Role ARN

Copy the role_arn output from Terraform.

Paste into Alethia

Paste into the form and click "Complete."

Verification

After submitting, Alethia queues a CONNECTION_TEST job:

  1. A Runner assumes the role via STS AssumeRole with the External ID
  2. Calls sts:GetCallerIdentity to verify the assumed identity
  3. Discovers existing resources: VPCs, subnets, hosted zones, IAM users, security groups
  4. Caches discovered resources in cloud_identities.credentials

If verification fails, the error message explains what went wrong (e.g., trust policy misconfiguration, missing permissions).

IAM Role Permissions

The role has permissions for all Terraform-managed resource types:

ServicePermissions
EC2VPC, subnets, NAT gateways, security groups, Elastic IPs
EKSClusters, node groups, OIDC providers, access entries
RDSAurora clusters, instances, subnet groups, parameter groups
ElastiCacheReplication groups, subnet groups
Route 53Hosted zones, record sets
Secrets ManagerSecrets, resource policies
DynamoDBTables, backups
SQS / SNSQueues, topics, subscriptions
ECRRepositories, lifecycle policies
S3Buckets, policies
IAMRoles (for IRSA), policies, instance profiles
ACMCertificates
WAFWeb ACLs, rules

The role is NOT an admin role. It has exactly the permissions needed for the supported Terraform resources, scoped with conditions where possible.

What's Stored

Only two values are stored in the database:

  • Role ARNarn:aws:iam::123456789012:role/AlethiaProvisionerRole
  • External ID — UUID generated by Alethia

No access keys, secret keys, or session tokens are ever persisted.

Integrations Overview

Connect cloud providers and Git accounts to enable infrastructure provisioning.

GCP Integration

Workload Identity Federation setup with OIDC token exchange.

On this page

AWS IntegrationSetup MethodsCopy External IDLaunch CloudFormation StackAcknowledge and CreateCopy Role ARNPaste into AlethiaCopy External IDApply TerraformCopy Role ARNPaste into AlethiaVerificationIAM Role PermissionsWhat's Stored