Connect AWS
Connect AWS when you want DevOps Genie to scan AWS resources and evaluate security and compliance posture.
What you need
- Admin access in DevOps Genie.
- Permission to create or update an IAM role in the AWS account.
- The organization-specific External ID shown in the DevOps Genie UI.
- The AWS role ARN you will paste back into DevOps Genie.
Recommended access pattern
Use an IAM role with read-oriented policies and an External ID condition. DevOps Genie validates the role before saving the connection.
In the product:
- Go to Cloud Accounts > Add Cloud Account.
- Select AWS.
- Copy the External ID shown in the form.
- Create or update the IAM role in AWS using the principal and External ID shown in the product.
- Paste the role ARN into DevOps Genie.
- Click Verify & Connect or Add Account.
Use the exact principal and External ID shown in your DevOps Genie organization. Do not copy account IDs or trust principals from screenshots, examples, or another organization.
Example trust policy shape
The exact values are provided in the DevOps Genie UI.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "<DEVOPS_GENIE_PRINCIPAL_FROM_UI>"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<EXTERNAL_ID_FROM_UI>"
}
}
}
]
}
Permissions
Start with read-oriented AWS access that allows DevOps Genie to inspect resource configuration. Many teams begin with AWS managed read-only/security policies and then refine to their internal least-privilege standard.
After connection
DevOps Genie starts an initial scan automatically. Track progress from the notification bell, scan chip, and Security pages.
Troubleshooting
If validation fails:
- Confirm the role ARN is complete and belongs to the intended AWS account.
- Confirm the trust policy uses the External ID from this DevOps Genie organization.
- Confirm your AWS role has enough read access to inspect resources.
- See Cloud Account Validation.