Skip to content

Connect AWS

ScrinCloud connects to AWS by assuming an organization-owned IAM role. The guided flow generates an External ID for the role trust policy; it does not ask you to paste AWS access keys into the browser.

Typical time
15–25 minutes
You need
AWS IAM and ScrinCloud admin access
Next step
Test and activate

Confirm the target AWS account, approved environment, required regions and services, and the minimum permission level. Ask your cloud security team to review the IAM role and trust policy before activation.

  1. Open Cloud Accounts.
  2. Choose Connect AWS.
  3. In Account details, enter a synthetic-friendly connection name.
  4. Choose the approved Environment.
  5. Set Permission level to Read only, Plan only, or Plan + apply.
  6. Choose Next: Provider access.

AWS 1 of 5 · Screenshot placeholder

Choose the AWS account boundary

Show Account details with a documentation-only name, environment, and least-privilege Permission level.

Future capture briefDo not show a real AWS account name, account number, organization, project, or user.

The AWS provider access step shows:

  • AWS IAM role ARN;
  • Generated External ID; and
  • an AWS setup guide opened from the information control.

In AWS:

  1. create or select a dedicated IAM role;
  2. trust only the ScrinCloud principal shown by the current setup guide;
  3. require the exact generated External ID in the trust policy;
  4. attach only the permissions needed for the selected mode; and
  5. keep trust and permission policies under your normal review process.

Return to ScrinCloud and enter the IAM role ARN. The generated External ID is read-only in the form.

AWS 2 of 5 · Screenshot placeholder

Use the generated AWS trust values

Show AWS provider access with the role field, masked Generated External ID, and setup-guide control.

Future capture briefMask the complete role ARN, account number, trusted principal ARN, External ID, and setup token. Never capture access keys.
  1. Open Scope.
  2. add only approved Allowed regions;
  3. leave all supported services enabled only when policy permits it; otherwise select the required services; and
  4. remove regions and services outside the connection’s purpose.

AWS 3 of 5 · Screenshot placeholder

Limit AWS regions and services

Show one approved AWS region and a focused service selection.

Future capture briefUse generic service names and a staged region. Do not show resource names, account IDs, tags, or customer inventory.

Review the environment, permission level, IAM role method, regions, and service scope. Choose Connect AWS to save the connection.

Saving does not make the connection active. If setup or trust is incomplete, the saved record remains pending and shows what needs attention.

AWS 4 of 5 · Screenshot placeholder

Review before saving AWS

Show the Review step with provider, environment, permission level, authentication method, and narrow scope.

Future capture briefRedact all provider identity values while leaving the permission and scope decisions visible.
  1. choose Test connection;
  2. confirm the returned AWS identity is the intended role and account;
  3. review every capability and permission probe;
  4. resolve required failures in AWS and test again;
  5. select the identity acknowledgement; and
  6. choose Activate connection.

An active connection can be linked to eligible workspaces. It does not automatically apply Terraform or import every AWS resource.

AWS 5 of 5 · Screenshot placeholder

Verify and activate the AWS role

Show a passed identity test, safe capability probes, acknowledgement, and activation control.

Future capture briefUse a staged role and mask account number, role ID, ARN, request IDs, and raw AWS errors.

The connection should show the expected environment, permission level, regions, Verified identity, healthy required probes, and Active status.

Check the IAM role ARN, trust principal, current External ID condition, and the specific failed permission. Do not add broad administrator permissions.

Use the value generated for the current setup. Do not reuse a value from a different organization, setup session, support note, or screenshot.

Identity health and feature readiness are separate. Confirm the required region, service permission, billing access, and workspace link.

Next: Test and manage cloud accounts.