Vintner
Integrations

AWS Integration

Cross-Account IAM Role setup with CloudFormation or Terraform.

AWS Integration

AWS integration uses a Cross-Account IAM Role with an External ID. The Tendril assumes this role at runtime to access your AWS account — no access keys are stored. See Security Architecture for the full security model.

Setup Methods

Copy External ID

Trellis generates a unique External ID and displays it. This ID is shared between your IAM role and the platform to prevent confused deputy attacks.

Launch CloudFormation Stack

Click "Launch Stack in AWS" — this opens the AWS Console with a pre-filled CloudFormation template that creates:

  • GrapeProvisionerRole — IAM role with permissions for all supported resource types
  • Trust policy restricting who can assume the role to the platform's AWS account
  • External ID condition in the trust policy

Acknowledge and Create

In the AWS Console, acknowledge that CloudFormation will create IAM resources, then click "Create stack."

Copy Role ARN

After the stack completes (~1 minute), go to the Outputs tab and copy the Role ARN.

Paste into Trellis

Paste the Role ARN into the Trellis form and click "Complete."

Copy External ID

Same as CloudFormation — Trellis provides the External ID.

Apply Terraform

Use the provided Terraform snippet to create the IAM role with the External ID in your AWS account.

Copy Role ARN

Copy the role_arn output from Terraform.

Paste into Trellis

Paste into the form and click "Complete."

Verification

After submitting, Trellis queues a CONNECTION_TEST job:

  1. A Tendril assumes the role via STS AssumeRole with the External ID
  2. Calls sts:GetCallerIdentity to verify the assumed identity
  3. Discovers existing resources: VPCs, subnets, hosted zones, IAM users, security groups
  4. Caches discovered resources in cloud_identities.credentials

If verification fails, the error message explains what went wrong (e.g., trust policy misconfiguration, missing permissions).

IAM Role Permissions

The role has permissions for all Terraform-managed resource types:

ServicePermissions
EC2VPC, subnets, NAT gateways, security groups, Elastic IPs
EKSClusters, node groups, OIDC providers, access entries
RDSAurora clusters, instances, subnet groups, parameter groups
ElastiCacheReplication groups, subnet groups
Route 53Hosted zones, record sets
Secrets ManagerSecrets, resource policies
DynamoDBTables, backups
SQS / SNSQueues, topics, subscriptions
ECRRepositories, lifecycle policies
S3Buckets, policies
IAMRoles (for IRSA), policies, instance profiles
ACMCertificates
WAFWeb ACLs, rules

The role is NOT an admin role. It has exactly the permissions needed for the supported Terraform resources, scoped with conditions where possible.

What's Stored

Only two values are stored in the database:

  • Role ARNarn:aws:iam::123456789012:role/GrapeProvisionerRole
  • External ID — UUID generated by Trellis

No access keys, secret keys, or session tokens are ever persisted.

Integrations Overview

Connect cloud providers and Git accounts to enable infrastructure provisioning.

GCP Integration

Workload Identity Federation setup with OIDC token exchange.

On this page

AWS IntegrationSetup MethodsCopy External IDLaunch CloudFormation StackAcknowledge and CreateCopy Role ARNPaste into TrellisCopy External IDApply TerraformCopy Role ARNPaste into TrellisVerificationIAM Role PermissionsWhat's Stored