Setup
- Go to Settings → Integrations → Amazon Web Services and click Connect
- A CloudFormation quick-create page opens in a new tab — review the stack and click Create stack
- Wait for the stack to finish creating (~30 seconds), then copy the Role ARN from the Outputs tab
- Paste the Role ARN back into Twill and click Verify & Connect
How It Works
The AWS integration uses a cross-account IAM role with an external ID — the industry-standard pattern for granting third-party services secure, scoped access to your AWS account. When you connect, Twill creates a CloudFormation stack in your account that provisions an IAM role with:- The ReadOnlyAccess AWS managed policy (
List*,Describe*,Get*across all services) - A trust policy that only allows Twill to assume the role using a unique external ID
- No write, modify, or delete permissions
sts:AssumeRole to obtain short-lived temporary credentials that are injected into the sandbox as standard AWS environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN). The AWS CLI and all AWS SDKs recognize these natively.
Security
- No long-lived credentials: Twill never stores AWS access keys. Temporary credentials are generated per agent run and expire after 1 hour.
- External ID: Prevents confused deputy attacks — only Twill can assume the role using the unique external ID generated during setup.
- Customer control: You own the IAM role in your account. You can modify its permissions, add conditions, or delete it at any time.
- Audit trail: All
AssumeRolecalls appear in your AWS CloudTrail logs.