Configuring AWS Assume Role ARN
This configuration is used for multi-account environments. It involves creating a central Identity User in one account that assumes Target Roles in other accounts.
Step 1: Create the Identity User
First, you need an IAM user that Txture will use to authenticate with AWS via API.
-
Log on to your primary AWS account and select the IAM service.
-
Navigate to Users > Create user.
-
Provide a name (e.g.,
txture-identity-user). -
Ensure Management Console access is not selected. Txture only needs programmatic API access.
-
Permissions: On the "Set permissions" page, select Attach existing policies directly.
-
Important: Do NOT attach
ReadOnlyAccesshere. Instead, click Create policy and paste the following "Assume Role" permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/txture-read-only-role"
},
{
"Effect": "Allow",
"Action": "organizations:ListAccounts",
"Resource": "*"
}
]
}
This allows the user to request access to any role named txture-read-only-role across your organization.
- Complete the wizard and create the user.
Step 2: Generate API Credentials
- Click on your newly created user.
- Navigate to the Security credentials tab.
- Locate Access keys and click Create access key.
- Select Third-party service and proceed.
- Download the .csv file containing the
Access Key IDandSecret Access Key. You will need these for the Txture configuration.
Step 3: Create the Target Role (In Target Accounts)
In every account you want Txture to scan, you must create a Role that "trusts" the user you just created. Stay with the same name, as we will assume like it's given in the Assume Role ARN.
A. Trust Policy
When creating the role in the Target Account, edit the Trust Relationship to allow the Identity User:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::IDENTITY_ACCOUNT_ID:user/txture-identity-user"
},
"Action": "sts:AssumeRole"
}
]
}
B. Permissions Policy
Attach the AWS managed policy "ReadOnlyAccess" directly to this Role. Or create your custom policy.
Info:
This is where the actual "reading" happens. The Identity User has the keys, but the Target Role has the eyes.
Step 4: Configure Assume Role in the AWS Datasource (Txture)
After creating the IAM user and credentials, configure the AWS datasource in Txture with your access key, secret key, and assume-role-arn.
Use this format:
arn:aws:iam::ACCOUNT_ID:role/txture-read-only-role
Where ACCOUNT_ID controls account discovery behavior:
*(asterisk): Txture resolves all accounts in your AWS Organization viaorganizations:ListAccountsand then tries to assume the role in each account.- A concrete account ID (for example
123456789012): Txture only uses that single account and does not perform organization-wide account discovery.
Txture generally prefers using *, because this lets you configure a single central AWS service account (Identity User) that can discover and access all allowed target accounts.
Examples:
- All organization accounts:
arn:aws:iam::*:role/txture-read-only-role - Single account:
arn:aws:iam::123456789012:role/txture-read-only-role
Info:
If you use *, ensure the Identity User policy includes organizations:ListAccounts (as shown in Step 1).
Summary of Configuration
- Identity Account: Contains the IAM User + Access Keys +
sts:AssumeRolepolicy. - Target Account(s): Contains the IAM Role +
ReadOnlyAccesspolicy + Trust Relationship.
For single-account setups without AssumeRole, please refer to the Standard User Creation Guide.
Next Step
Return to AWS Main Documentation to complete your setup.