Skip to content

AWS Connections

You can configure Soveren to access your AWS account for automatic discovery of your data storages, including managed databases and Kafka clusters.

New AWS Connection

You will need to create a new AWS connection in the Soveren app:

AWS connections

There are several important parameters in the New AWS connection dialog that you will need to configure for the AWS IAM role:

New AWS connection

  • AWS external ID: A randomly generated identifier that should be associated with the role you configure in AWS IAM to provide Soveren with appropriate access rights.

  • Soveren AWS Account ID: The account ID of Soveren. You will need to configure the role in AWS IAM to grant this ID the appropriate access rights.

  • Role ARN: The role that you will need to configure in AWS IAM (see below).

AWS external ID and Soveren AWS Account ID should be handled carefully, but they are not considered secret, sensitive, or confidential information.

Role in AWS IAM

You will need to create a new role in AWS IAM. To do this, follow these steps:

  1. Open AWS IAM.

  2. Create a new role:

    2.1. Trusted entity type: AWS account.

    2.2. Another AWS account: Enter the Soveren AWS Account ID, i.e., 579178354807.

    2.3. In the Options, check Require external ID and input the AWS external ID that you've generated in the New AWS connection dialog.

    2.4. Select a suitable policy with the minimum required permissions for Soveren to discover your data sources. If no appropriate policy exists, you can skip this step and create the permissions later (see below).

    2.5. Ensure that the Trust policy appears as shown below. It is essential that you see the Soveren AWS Account ID in the Principal block.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": [
                        "arn:aws:iam::579178354807:root"
                    ]
                },
                "Action": "sts:AssumeRole",
                "Condition": {
                    "StringEquals": {
                        "sts:ExternalId": "<AWS external ID generated by Soveren>"
                    }
                }
            }
        ]
    }
    

    During the preview phase, the Principal may appear as "AWS": "579178354807". However, it will be stored as arn:aws:iam::579178354807:root, which is expected.

    2.6. Save the role.

    2.7. If you did not select an existing policy in step 2.4, go to the Permissions tab, enter the following default permissions, and save the role again:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeRegions",
                    "rds:DescribeDBInstances",
                    "rds:DescribeDBClusters",
                    "rds:DescribeDBClusterEndpoints",
                    "kafka:ListClustersV2",
                    "ec2:DescribeSecurityGroups",
                    "kafka:GetBootstrapBrokers"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }
    

    2.8. Copy the ARN of the created role. It should look like this: arn:aws:iam::654654342127:role/env.

  3. Return to the AWS connection setup in the Soveren app

  4. Paste the ARN of the created role into the Role ARN field.

  5. Click Run test. It should display a positive result. (If not, please send us the error message.)

  6. Save the connection.