Skip to main content

About AWS

Amazon Web Services (AWS) is a public-cloud platform, offering on-demand compute, storage, database, and networking services. Connecting AWS to Serval lets you automate everyday cloud-ops and security workflows—from listing IAM roles to spinning down unused EC2 instances—directly from chat.

What the AWS integration enables

CapabilityDescription
Access ManagementCreate, update, and manage users and their permissions
Automation workflowsManage resources, create roles, and automate lifecycle management

AWS configuration (in the AWS console)

Follow these steps to create a cross-account role that Serval can assume. The role’s policies determine exactly which AWS APIs Serval can call.
  1. Open the modal in Serval In the Serval UI navigate to Apps → Connect AWS. Leave this window open; it shows the Serval AWS Account ID and External ID you will need shortly.
AWS Serval modal showing Account ID and External ID
  1. Create a new IAM role
    In AWS go to IAM → Roles → Create role and choose Another AWS account as the trusted entity.
    Enter the Account ID shown in Serval, then tick Require external ID and paste the External ID.
AWS IAM trusted entity configuration with Account ID and External ID fields
AWS create role wizard
  1. Attach policies
    Select AWS-managed or custom policies that grant the actions Serval needs (e.g. IAMReadOnlyAccess).
AWS IAM policy attachment interface
  1. Finish the role wizard — name the role something memorable and click Create role.
AWS IAM role creation wizard final step
  1. Update the trust policy
    Open the new role → Trust relationships → Edit trust policy and replace the document with the version below (adds the required sts:TagSession action).
AWS IAM trust relationships edit trust policy interface
In the JSON below, replace <replace-with-your-external-id> (including the angle brackets < and >) with the actual External ID shown in the Serval Connect AWS modal.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::992382851720:root" },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": { "sts:ExternalId": "<replace-with-your-external-id>" }
      }
    },
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::992382851720:root" },
      "Action": "sts:TagSession"
    }
  ]
}
  • Here is an example of the updated policy in the UI.
AWS trust policy JSON in the console
  1. Copy the Role ARN & Account ID — you will paste these into Serval in the next section.

Serval Configuration

  1. Return to the Connect AWS modal in Serval.
  2. Enter your AWS Account ID, a display name for the account (e.g. “Production” or “Sandbox”), and the Role ARN of the role you just created, then click Submit.
The Your AWS Account Name field is a human-readable label used to identify this AWS account within Serval. It does not affect the integration — you can enter any name that helps you distinguish between accounts.
Serval AWS connection modal with Account ID, Account Name, and Role ARN fields
Your AWS account is now connected—try running the List IAM Roles workflow to verify connectivity.
After connecting AWS, the resource sync will only discover roles that have been tagged with a serval tag. To tag roles for ingestion and set up temporary access provisioning, follow the AWS Role Access guide.

Next steps

To allow users to request temporary access to specific AWS roles through Serval, see Configure AWS roles for temporary access.