AWS
Cendriix deploys and operates workloads in your AWS account, not its own. This is the bring-your-own-cloud model: you keep ownership of compute, networking, and data. This guide covers connecting an AWS account.
Bring your own cloud
When you connect AWS, Cendriix is granted a cross-account IAM role it assumes to act on your behalf. Nothing runs in a Cendriix-owned account, your data never leaves your boundary, your bill comes from AWS directly, and revoking the role instantly removes all access.
Connect via CloudFormation
The recommended path is the one-click CloudFormation stack. It provisions the cross-account role with the correct trust policy and a scoped permission set.
cendriix workspace cloud connect \
--provider aws \
--method cloudformation \
--region us-east-1This opens a CloudFormation quick-create link in your browser. Review the template, then create the stack, provisioning takes roughly 90 seconds. When the stack reaches CREATE_COMPLETE, the connector turns active automatically.
iam:PassRole so the orchestrator can launch tasks under roles you define. Review the published template at https://cendriix.ai/cfn/orchestrator-role.yaml before deploying it into a production account.Connect via manual IAM role
If your organisation does not allow CloudFormation quick-create, create the role manually. Cendriix gives you the trust policy and an external ID; you create the role and supply its ARN back to the connector.
# 1. Get the trust policy and external ID for your workspace
cendriix workspace cloud trust-policy --provider aws
# 2. Create the role in AWS with that trust policy, then:
cendriix workspace cloud connect \
--provider aws --method manual \
--role-arn arn:aws:iam::123456789012:role/CendriixOrchestratorRoleWhat permissions are granted
The role grants only what the orchestrator needs to build, deploy, and operate application workloads. It is scoped to deployment and observability services and deliberately excludes destructive account-level operations.
| Area | Description |
|---|---|
compute | ECS, Lambda, and EC2, create and update services, functions, and instances. |
storage | S3 and DynamoDB, read and write application data and artefacts. |
observability | CloudWatch logs and metrics, read telemetry to confirm a deploy is healthy. |
excluded | IAM user management, billing, and Organizations are not granted. The role cannot escalate its own privileges. |
Regions
The connector is bound to a primary region. To operate in multiple regions, connect the account once per region, each connection is a separate role assumption, so a misconfig in one region cannot affect another.
Disconnecting
Disconnecting is immediate and complete. Deleting the CloudFormation stack (or the manual role) revokes access at the AWS layer; running cendriix workspace cloud disconnect also removes the stored connector record. Either action alone is sufficient to cut off access.