Connect
1
Launch the CloudFormation stack
In Settings → Integrations → Amazon Web Services, click Connect.
This opens a CloudFormation quick-create page in your AWS console. Click
Create stack — it takes about 30 seconds.
2
Paste the Role ARN
Copy the Role ARN from the stack’s Outputs tab, paste it back into
Twill, and click Verify & Connect.
How access works
- The role carries AWS’s managed ReadOnlyAccess policy (
List*,Describe*,Get*) — no write, modify, or delete permissions. - Its trust policy is scoped to Twill’s account plus a unique external ID, so only your workspace can assume it.
- At task time, Twill calls
sts:AssumeRoleand injects temporary credentials (AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_SESSION_TOKEN) into the sandbox. They expire after 1 hour. - Every assumption shows up in your CloudTrail, so access is fully auditable.