GuidesLog in with AWS STS

Log in to FlakeHub with AWS STS

Use AWS’ Identity and Access Management to log in to a FlakeHub organization and access private flakes and artifacts without managing tokens.

Security considerations

Authenticating to FlakeHub with AWS Security Token Service (STS) currently grants read-only privileges to all sources and artifacts in the associated FlakeHub organization. FlakeHub only needs the Amazon Resource Name (ARN) of the identity, since authentication uses the GetCallerIdentity operation.

Setup

  1. First, create an IAM role in your AWS account. This role does not need any permissions.
  2. Attach the role to your EC2 instance.
  3. Register the assumed role ARN, which looks like arn:aws:iam::${AccountId}:assumed-role/${RoleName}/i-* for EC2 instances, under the ARNs section of your FlakeHub Organization’s settings.
  4. Install or restart Determinate to your instance.

After logging in with determinate-nixd login aws, Determinate is now authenticated with FlakeHub using the bound ARN.