Skip to content

Deploy the CampusCore IAM Role

This is the one manual AWS step on your side of onboarding. You deploy a small CloudFormation template we provide, which creates a single scoped IAM role that lets CampusCore deploy the application into your account - and nothing more. It takes about 10 minutes, and you can review every permission before you run it.

Before you start

  • Access to your AWS account with permission to create CloudFormation stacks and IAM roles.
  • The template file deploy-role.yaml and the CampusCore admin role ARN - both provided by your CampusCore contact.

You can do this in the AWS Console or with the AWS CLI - pick whichever you prefer.

Option A: AWS Console

  1. Open CloudFormation > Create stack > With new resources.
  2. Under Specify template, upload the deploy-role.yaml file we gave you.
  3. Give the stack a name, for example CampusCore-Deploy-Role.
  4. When prompted for parameters, paste the CampusCore admin role ARN we provided.
  5. Acknowledge that the stack creates IAM resources, and create the stack.
  6. When the stack status is CREATE_COMPLETE, open its Outputs tab and copy the DeployRoleArn value.

Option B: AWS CLI

Run this, replacing <campuscore-admin-role-arn> with the ARN we gave you and <your-aws-profile> with your AWS CLI profile:

aws cloudformation deploy \
  --template-file infrastructure/deploy-roles/deploy-role.yaml \
  --stack-name CampusCore-Deploy-Role \
  --parameter-overrides CampusCoreAdminRoleArn=<campuscore-admin-role-arn> \
  --capabilities CAPABILITY_NAMED_IAM \
  --no-fail-on-empty-changeset \
  --profile <your-aws-profile>

Then read back the created role's ARN:

aws cloudformation describe-stacks \
  --stack-name CampusCore-Deploy-Role \
  --query 'Stacks[0].Outputs[?OutputKey==`DeployRoleArn`].OutputValue' \
  --output text \
  --profile <your-aws-profile>

Send us the role ARN

Share the DeployRoleArn value with your CampusCore contact. That is the last thing we need to run your first deployment.

What this role can and can't do

The role grants only the permissions needed to provision and run CampusCore in your account - container services (ECS/ECR), the database (RDS), storage (S3), the queue (SQS), networking, load balancing, certificates, logging, and the parameters those services read. It does not grant access to anything else in your account, and everything it creates lives in your account under your control. You can read the exact policy in deploy-role.yaml before deploying.

After this one-time setup, the role updates itself automatically on future deployments, so you never have to repeat these steps.