Metis Telemetry Platform

Customer Onboarding

Customer AWS Account ID

Region

Team Name

1 Grant Cross-Account Access

The customer must create an IAM role in their account that trusts the platform account. This is a one-time setup.

Why is this needed? The platform's Provisioner Lambda uses STS AssumeRole to deploy resources into the customer account. AWS requires an IAM trust relationship for this — Bindle/Conduit permissions alone don't provide machine-to-machine credentials.

Pre-requisite: Access the Customer Account

Log into the customer account via the Conduit Access Portal:

https://iad.merlon.amazon.dev/account/aws//sdo

From there, click Console Access to open the AWS Console, or use the CLI credentials section to get temporary credentials.

Option A: One-Click CloudFormation (from AWS Console)

After logging into the customer account console via Conduit, click this link to create the onboarding stack:

https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/quickcreate?stackName=MetisPlatformOnboarding&templateURL=https://.s3.amazonaws.com/templates/onboarding-role.yaml

Click Create stack in the console. Takes ~30 seconds. Creates role MetisPlatformProvisionerRole trusting account 843392124510.

Option B: CLI

Run each command separately in your terminal (do NOT paste as a block):

ada credentials update --account --role IibsAdminAccess-DO-NOT-DELETE --provider conduit --once

Then deploy the onboarding stack:

aws cloudformation create-stack --stack-name MetisPlatformOnboarding --template-url https://.s3.amazonaws.com/templates/onboarding-role.yaml --capabilities CAPABILITY_NAMED_IAM --region us-east-1

🔧 Troubleshooting

❌ "is not authorized to assume role ConduitAccessClientRole-DO-NOT-DELETE"

Cause: The role ConduitAccessClientRole-DO-NOT-DELETE either doesn't exist in the account or you don't have CanAssume permission.

Fix: Use IibsAdminAccess-DO-NOT-DELETE instead (most SDO accounts have this):

ada credentials update --account {ACCT} --role IibsAdminAccess-DO-NOT-DELETE --provider conduit

If you specifically need ConduitAccessClientRole, see "Role doesn't exist" below.

❌ "Check Bindles 'CanAssume' role permissions"

Cause: You have the role name correct but lack Bindle permission to assume it.

Fix:

Open the Conduit portal for this account
Go to IAM Roles & Users tab
Find your role → click Manage IAM Role → Add to Bindle
In the Bindle → Permissions → Add yourself → select Conduit IAM Role Permissions → check Can assume Conduit IAM Role
Wait ~1 minute for propagation

Ref: Conduit IAM Guide

❌ Role doesn't exist in the account (no roles listed in IAM Roles tab)

Cause: Older Conduit accounts may only have IibsAdminAccess-DO-NOT-DELETE, not ConduitAccessClientRole-DO-NOT-DELETE.

To create the role manually:

Log into the account via Console Access from the Conduit portal
Navigate to IAM → Roles → Create Role
Choose Another AWS Account, enter account ID 726756523438 (Conduit broker)
Check Require external ID, enter ConduitAccessExtId-{YOUR_ACCOUNT_ID}
Skip policy selection → Name it ConduitAccessClientRole-DO-NOT-DELETE
After creation, add an inline policy: {"Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}
Go back to the Conduit portal → IAM Roles & Users → search for the role → Add to Bindle

Or use the CloudFormation template (simpler). Ref: Register Account Wiki

❌ "ADA would previously fall back to IibsAdminAccess-DO-NOT-DELETE... this functionality has been removed"

Cause: ADA no longer auto-falls back to the admin role. You must specify a valid role explicitly.

Fix: Use the role you actually have access to:

ada credentials update --account {ACCT} --role IibsAdminAccess-DO-NOT-DELETE --provider conduit

Check available roles on the Conduit portal → IAM Roles & Users tab.

ℹ️ Which role should I use?

Role	Permission Needed	Notes
`IibsAdminAccess-DO-NOT-DELETE`	Can administer Conduit AWS Account	Most common. Full admin. Present on all SDO accounts.
`ConduitAccessClientRole-DO-NOT-DELETE`	Can assume Conduit IAM Role	Newer accounts only. Must be registered in Bindle first.
Custom role	Can assume Conduit IAM Role	Must create, register in Conduit, add to Bindle, grant CanAssume.

2 Deploy Customer Stack

Once the role exists, click Deploy to create the telemetry pipeline in the customer account.

What gets deployed: S3 ingress bucket, S3 output bucket, SQS manifest queue + DLQ, EventBridge trigger rule, DynamoDB file tracking table, cross-account EventBridge rule (status → platform).

3 Customer Account Resources

Fleet Overview

Account	Team	Region	Status	Deployed

⚡ Metis Telemetry Platform