AWS Setup

Set up IAM access for Yaffle

Create one IAM role in your AWS account, then paste that role ARN in Yaffle.

Quick start

1. In Yaffle, open AWS Connection Setup and copy Step 1 values:

   • Yaffle principal ARN
   • External ID
   • Suggested role name (editable)

2. Create the IAM role in AWS using one method:

   • Terraform (Recommended)
   • CloudFormation
   • AWS CLI

3. Copy the resulting role ARN from your method output.

4. Paste role ARN in Yaffle Step 3 and save the connection.

---

Step 2. Set up IAM access for Yaffle

Terraform (Recommended)

Use a small local-state bootstrap stack for first-time setup.

Create yaffle-bootstrap.tf:

yaffle-bootstrap.tf

module "yaffle_bootstrap" {
  source = "git::https://github.com/yaffle-dot-dev/yaffle.git//infra_modules/public/bootstrap-yaffle/aws?ref=main"

  yaffle_principal_arn = "<paste-from-yaffle-step-1>"
  external_id          = "<paste-from-yaffle-step-1>"
  role_name            = "<paste-or-customize-role-name>"
  environment          = "main"
}

output "yaffle_role_arn" {
  value = module.yaffle_bootstrap.role_arn
}

Apply:

tofu init
tofu apply

This bootstrap is intentionally local-state oriented. You can move/import into your long-lived state management later if desired.

Get role ARN:

tofu output -raw yaffle_role_arn

CloudFormation

Create yaffle-bootstrap.yaml:

yaffle-bootstrap.yaml

AWSTemplateFormatVersion: "2010-09-09"
Description: "Yaffle bootstrap role"

Parameters:
  YafflePrincipalArn:
    Type: String
  ExternalId:
    Type: String
  RoleName:
    Type: String

Resources:
  YaffleRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref RoleName
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Ref YafflePrincipalArn
            Action: "sts:AssumeRole"
            Condition:
              StringEquals:
                "sts:ExternalId": !Ref ExternalId

  YaffleAdminAccess:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: "Default broad permissions for Yaffle"
      Roles:
        - !Ref YaffleRole
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action: "*"
            Resource: "*"

Outputs:
  RoleArn:
    Value: !GetAtt YaffleRole.Arn

Deploy:

aws cloudformation deploy \
  --stack-name yaffle-bootstrap \
  --template-file yaffle-bootstrap.yaml \
  --parameter-overrides \
    YafflePrincipalArn=<paste-from-yaffle-step-1> \
    ExternalId=<paste-from-yaffle-step-1> \
    RoleName=<paste-or-customize-role-name>

Get role ARN:

aws cloudformation describe-stacks \
  --stack-name yaffle-bootstrap \
  --query "Stacks[0].Outputs[?OutputKey=='RoleArn'].OutputValue" \
  --output text

AWS CLI

Create trust policy and role:

cat > trust-policy.json <<'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "<paste-yaffle-principal-arn>"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<paste-external-id>"
        }
      }
    }
  ]
}
EOF

aws iam create-role \
  --role-name <paste-or-customize-role-name> \
  --assume-role-policy-document file://trust-policy.json

aws iam attach-role-policy \
  --role-name <paste-or-customize-role-name> \
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Get role ARN:

aws iam get-role \
  --role-name <paste-or-customize-role-name> \
  --query 'Role.Arn' \
  --output text

---

What gets created

Default bootstrap creates one role with:

• Trust policy for your Yaffle principal ARN
• Required ExternalId condition
• AdministratorAccess permissions

Tip

This default is intentional for a fast, reliable Terraform runner setup.

Optional policy customization

If your org requires least privilege, you can customize policy attachments. Keep in mind Yaffle still needs all permissions required by your Terraform resources.