Skip to main content
The AWS integration lets agents read your AWS resources, logs, and service metadata while debugging. Access is strictly read-only and uses a cross-account IAM role — Twill never stores AWS keys.

Connect

1

Launch the CloudFormation stack

In Settings → Integrations → Amazon Web Services, click Connect. This opens a CloudFormation quick-create page in your AWS console. Click Create stack — it takes about 30 seconds.
2

Paste the Role ARN

Copy the Role ARN from the stack’s Outputs tab, paste it back into Twill, and click Verify & Connect.

How access works

  • The role carries AWS’s managed ReadOnlyAccess policy (List*, Describe*, Get*) — no write, modify, or delete permissions.
  • Its trust policy is scoped to Twill’s account plus a unique external ID, so only your workspace can assume it.
  • At task time, Twill calls sts:AssumeRole and injects temporary credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN) into the sandbox. They expire after 1 hour.
  • Every assumption shows up in your CloudTrail, so access is fully auditable.

Disconnect

Disconnect in Twill’s settings, then delete the CloudFormation stack in AWS to remove the role entirely.