[
StrictOps
control plane
How It WorksPricingSecurityDocs
Log InGet Started
StrictOps Docs
Getting Started

AWS Setup

Create the IAM role that allows StrictOps to deploy to your AWS account

AWS Setup

StrictOps needs an IAM role in your AWS account to provision infrastructure on your behalf. This role uses an External ID for secure cross-account access — StrictOps never stores your AWS credentials.

Prerequisites

  • AWS CLI installed and configured with credentials that have permission to create IAM roles
  • Your StrictOps External ID (provided during onboarding)
  • Your StrictOps Account ID (provided during onboarding)

Quick Setup

Run one of the following commands in your terminal. The script will:

  1. Check your AWS credentials
  2. Download and deploy a CloudFormation template
  3. Output the Role ARN to paste into StrictOps

Mac / Linux

curl -sSL https://raw.githubusercontent.com/strictops/strictops-setup/main/aws/setup-role.sh | bash -s -- \
  --external-id "YOUR_EXTERNAL_ID" \
  --strictops-account "STRICTOPS_ACCOUNT_ID" \
  --region "us-east-1"

Windows (PowerShell)

irm https://raw.githubusercontent.com/strictops/strictops-setup/main/aws/setup-role.ps1 | iex; `
Setup-StrictOpsRole `
  -ExternalId "YOUR_EXTERNAL_ID" `
  -StrictOpsAccountId "STRICTOPS_ACCOUNT_ID" `
  -Region "us-east-1"

Replace YOUR_EXTERNAL_ID and STRICTOPS_ACCOUNT_ID with the values shown in the StrictOps onboarding flow.

What the script does

The setup script performs these steps:

StepDescription
1. Verify credentialsChecks that AWS CLI is configured and can authenticate
2. Deploy CloudFormationCreates a stack with the IAM role and required permissions
3. Output Role ARNDisplays the Role ARN to copy into StrictOps

Manual Setup

If you prefer to create the role manually or need to customize the permissions:

1. Download the CloudFormation template

curl -sSL https://raw.githubusercontent.com/strictops/strictops-setup/main/aws/cross-account-role.yaml -o strictops-role.yaml

2. Deploy the stack

aws cloudformation deploy \
  --capabilities CAPABILITY_NAMED_IAM \
  --stack-name strictops-cross-account-role \
  --template-file strictops-role.yaml \
  --parameter-overrides \
    RoleName=StrictOpsAccess \
    ExternalId=YOUR_EXTERNAL_ID \
    StrictOpsAccountId=STRICTOPS_ACCOUNT_ID \
  --region us-east-1

3. Get the Role ARN

aws cloudformation describe-stacks \
  --stack-name strictops-cross-account-role \
  --query "Stacks[0].Outputs[?OutputKey=='StrictOpsRoleArn'].OutputValue | [0]" \
  --output text

IAM Permissions

The IAM role grants StrictOps the minimum permissions needed to:

  • ECS: Create and manage ECS clusters, services, and task definitions
  • ECR: Create repositories and push container images
  • CloudFormation: Deploy and manage infrastructure stacks
  • EC2: Create security groups and describe VPCs/subnets
  • ELB: Create load balancers and target groups
  • CloudWatch Logs: Create log groups and read logs
  • IAM: Create task execution roles (scoped to ECS)

You can review the full permissions in the CloudFormation template.

Troubleshooting

"AWS credentials not configured"

Make sure you've run aws configure or set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.

"Access Denied" errors

Your AWS user/role needs permission to create IAM roles and CloudFormation stacks. Contact your AWS administrator if you don't have these permissions.

Stack already exists

If you've already created the role and need to update it, the script will update the existing stack automatically.

Script Source Code

You can review the scripts before running them:

setup-role.sh (Mac / Linux)

#!/bin/bash
#
# StrictOps IAM Role Setup Script
# Usage: curl -sSL https://raw.githubusercontent.com/.../setup-role.sh | bash -s -- --external-id <ID> --strictops-account <ACCOUNT>
#
 
set -e
 
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
 
# Default values
STACK_NAME="strictops-cross-account-role"
ROLE_NAME="StrictOpsAccess"
REGION="${AWS_DEFAULT_REGION:-us-east-1}"
TEMPLATE_URL="https://raw.githubusercontent.com/strictops/strictops-setup/main/aws/cross-account-role.yaml"
 
# Parse arguments
while [[ $# -gt 0 ]]; do
  case $1 in
    --external-id)
      EXTERNAL_ID="$2"
      shift 2
      ;;
    --strictops-account)
      STRICTOPS_ACCOUNT_ID="$2"
      shift 2
      ;;
    --region)
      REGION="$2"
      shift 2
      ;;
    --role-name)
      ROLE_NAME="$2"
      shift 2
      ;;
    --help)
      echo "Usage: setup-role.sh --external-id <ID> --strictops-account <ACCOUNT> [--region <REGION>] [--role-name <NAME>]"
      exit 0
      ;;
    *)
      echo "Unknown option: $1"
      exit 1
      ;;
  esac
done
 
# Validate required parameters
if [[ -z "$EXTERNAL_ID" ]]; then
  echo -e "${RED}Error: --external-id is required${NC}"
  exit 1
fi
 
if [[ -z "$STRICTOPS_ACCOUNT_ID" ]]; then
  echo -e "${RED}Error: --strictops-account is required${NC}"
  exit 1
fi
 
echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${BLUE}  StrictOps IAM Role Setup${NC}"
echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
echo -e "  Region:            ${YELLOW}$REGION${NC}"
echo -e "  Role Name:         ${YELLOW}$ROLE_NAME${NC}"
echo -e "  External ID:       ${YELLOW}$EXTERNAL_ID${NC}"
echo -e "  StrictOps Account: ${YELLOW}$STRICTOPS_ACCOUNT_ID${NC}"
echo ""
 
# Check for AWS CLI
if ! command -v aws &> /dev/null; then
  echo -e "${RED}Error: AWS CLI is not installed${NC}"
  echo "Install it from: https://aws.amazon.com/cli/"
  exit 1
fi
 
# Check AWS credentials
echo -e "${BLUE}[1/3]${NC} Checking AWS credentials..."
if ! aws sts get-caller-identity &> /dev/null; then
  echo -e "${RED}Error: AWS credentials not configured${NC}"
  echo "Run 'aws configure' or set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY"
  exit 1
fi
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
echo -e "      Logged in to AWS account: ${GREEN}$ACCOUNT_ID${NC}"
 
# Download and deploy CloudFormation template
echo -e "${BLUE}[2/3]${NC} Deploying CloudFormation stack..."
echo "      Downloading template from GitHub..."
 
TEMP_FILE=$(mktemp)
curl -sSL "$TEMPLATE_URL" -o "$TEMP_FILE"
 
echo "      Creating/updating stack '$STACK_NAME'..."
aws cloudformation deploy \
  --capabilities CAPABILITY_NAMED_IAM \
  --stack-name "$STACK_NAME" \
  --template-file "$TEMP_FILE" \
  --parameter-overrides \
    RoleName="$ROLE_NAME" \
    ExternalId="$EXTERNAL_ID" \
    StrictOpsAccountId="$STRICTOPS_ACCOUNT_ID" \
  --region "$REGION" \
  --no-fail-on-empty-changeset
 
rm -f "$TEMP_FILE"
echo -e "      Stack deployed ${GREEN}successfully${NC}"
 
# Get the Role ARN
echo -e "${BLUE}[3/3]${NC} Retrieving Role ARN..."
ROLE_ARN=$(aws cloudformation describe-stacks \
  --stack-name "$STACK_NAME" \
  --query "Stacks[0].Outputs[?OutputKey=='StrictOpsRoleArn'].OutputValue | [0]" \
  --output text \
  --region "$REGION")
 
echo ""
echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${GREEN}  Setup Complete!${NC}"
echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
echo -e "  Copy this Role ARN and paste it in StrictOps:"
echo ""
echo -e "  ${YELLOW}$ROLE_ARN${NC}"
echo ""

setup-role.ps1 (Windows PowerShell)

#
# StrictOps IAM Role Setup Script (Windows PowerShell)
# Usage: irm https://raw.githubusercontent.com/.../setup-role.ps1 | iex
#        Then run: Setup-StrictOpsRole -ExternalId <ID> -StrictOpsAccountId <ACCOUNT>
#
 
function Setup-StrictOpsRole {
    param(
        [Parameter(Mandatory=$true)]
        [string]$ExternalId,
 
        [Parameter(Mandatory=$true)]
        [string]$StrictOpsAccountId,
 
        [string]$Region = "us-east-1",
 
        [string]$RoleName = "StrictOpsAccess",
 
        [string]$StackName = "strictops-cross-account-role"
    )
 
    $TemplateUrl = "https://raw.githubusercontent.com/strictops/strictops-setup/main/aws/cross-account-role.yaml"
 
    Write-Host ""
    Write-Host "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" -ForegroundColor Blue
    Write-Host "  StrictOps IAM Role Setup" -ForegroundColor Blue
    Write-Host "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" -ForegroundColor Blue
    Write-Host ""
    Write-Host "  Region:            " -NoNewline; Write-Host $Region -ForegroundColor Yellow
    Write-Host "  Role Name:         " -NoNewline; Write-Host $RoleName -ForegroundColor Yellow
    Write-Host "  External ID:       " -NoNewline; Write-Host $ExternalId -ForegroundColor Yellow
    Write-Host "  StrictOps Account: " -NoNewline; Write-Host $StrictOpsAccountId -ForegroundColor Yellow
    Write-Host ""
 
    # Check for AWS CLI
    Write-Host "[1/3]" -ForegroundColor Blue -NoNewline
    Write-Host " Checking AWS credentials..."
 
    try {
        $identity = aws sts get-caller-identity --output json 2>$null | ConvertFrom-Json
        if (-not $identity) {
            throw "Not authenticated"
        }
        Write-Host "      Logged in to AWS account: " -NoNewline
        Write-Host $identity.Account -ForegroundColor Green
    }
    catch {
        Write-Host "Error: AWS credentials not configured" -ForegroundColor Red
        Write-Host "Run 'aws configure' or set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY"
        return
    }
 
    # Download and deploy CloudFormation template
    Write-Host "[2/3]" -ForegroundColor Blue -NoNewline
    Write-Host " Deploying CloudFormation stack..."
    Write-Host "      Downloading template from GitHub..."
 
    $TempFile = [System.IO.Path]::GetTempFileName() + ".yaml"
    try {
        Invoke-WebRequest -Uri $TemplateUrl -OutFile $TempFile -UseBasicParsing
    }
    catch {
        Write-Host "Error: Failed to download template" -ForegroundColor Red
        return
    }
 
    Write-Host "      Creating/updating stack '$StackName'..."
 
    $deployResult = aws cloudformation deploy `
        --capabilities CAPABILITY_NAMED_IAM `
        --stack-name $StackName `
        --template-file $TempFile `
        --parameter-overrides `
            "RoleName=$RoleName" `
            "ExternalId=$ExternalId" `
            "StrictOpsAccountId=$StrictOpsAccountId" `
        --region $Region `
        --no-fail-on-empty-changeset 2>&1
 
    Remove-Item -Path $TempFile -Force -ErrorAction SilentlyContinue
 
    if ($LASTEXITCODE -ne 0) {
        Write-Host "Error: CloudFormation deployment failed" -ForegroundColor Red
        Write-Host $deployResult
        return
    }
 
    Write-Host "      Stack deployed " -NoNewline
    Write-Host "successfully" -ForegroundColor Green
 
    # Get the Role ARN
    Write-Host "[3/3]" -ForegroundColor Blue -NoNewline
    Write-Host " Retrieving Role ARN..."
 
    $RoleArn = aws cloudformation describe-stacks `
        --stack-name $StackName `
        --query "Stacks[0].Outputs[?OutputKey=='StrictOpsRoleArn'].OutputValue | [0]" `
        --output text `
        --region $Region
 
    Write-Host ""
    Write-Host "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" -ForegroundColor Green
    Write-Host "  Setup Complete!" -ForegroundColor Green
    Write-Host "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" -ForegroundColor Green
    Write-Host ""
    Write-Host "  Copy this Role ARN and paste it in StrictOps:"
    Write-Host ""
    Write-Host "  $RoleArn" -ForegroundColor Yellow
    Write-Host ""
 
    # Copy to clipboard
    $RoleArn | Set-Clipboard
    Write-Host "  (Copied to clipboard)" -ForegroundColor DarkGray
    Write-Host ""
}
 
Write-Host "StrictOps setup script loaded. Run:" -ForegroundColor Cyan
Write-Host ""
Write-Host '  Setup-StrictOpsRole -ExternalId "<YOUR_EXTERNAL_ID>" -StrictOpsAccountId "<STRICTOPS_ACCOUNT>"' -ForegroundColor Yellow
Write-Host ""

Previous

Getting Started

Next

GitHub Permissions

On this page