Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.twill.ai/llms.txt

Use this file to discover all available pages before exploring further.

Setup

Make sure your GitHub App is connected and your connected repos are accessible. See the Quickstart.
  1. Go to Settings → Integrations → Amazon Web Services and click Connect
  2. A CloudFormation quick-create page opens in a new tab — review the stack and click Create stack
  3. Wait for the stack to finish creating (~30 seconds), then copy the Role ARN from the Outputs tab
  4. Paste the Role ARN back into Twill and click Verify & Connect
Once connected, Twill can access your AWS resources in read-only mode when investigating issues or working on tasks.

How It Works

The AWS integration uses a cross-account IAM role with an external ID — the industry-standard pattern for granting third-party services secure, scoped access to your AWS account. When you connect, Twill creates a CloudFormation stack in your account that provisions an IAM role with:
  • The ReadOnlyAccess AWS managed policy (List*, Describe*, Get* across all services)
  • A trust policy that only allows Twill to assume the role using a unique external ID
  • No write, modify, or delete permissions
When an agent runs, Twill calls sts:AssumeRole to obtain short-lived temporary credentials that are injected into the sandbox as standard AWS environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN). The AWS CLI and all AWS SDKs recognize these natively.

Security

  • No long-lived credentials: Twill never stores AWS access keys. Temporary credentials are generated per agent run and expire after 1 hour.
  • External ID: Prevents confused deputy attacks — only Twill can assume the role using the unique external ID generated during setup.
  • Customer control: You own the IAM role in your account. You can modify its permissions, add conditions, or delete it at any time.
  • Audit trail: All AssumeRole calls appear in your AWS CloudTrail logs.

Disconnect

To disconnect AWS, go to Settings → Integrations → Amazon Web Services and click Disconnect. You can also delete the CloudFormation stack from your AWS account to remove the IAM role entirely.