This guide explains the IAM permissions and how to handle them on the AWS side from the customer perspective when using a CloudFormation template for role creation.

How IPXO BYOIP Authentication Works

What Happens When You Use the QuickFormation URL?

When you click the QuickFormation URL we provide, you're creating a secure bridge between your AWS account and IPXO's services. Think of it like giving IPXO a special key that only works for specific tasks.

The Security Process

1. Your AWS Account Remains Under Your Control

  • You never share your AWS login credentials with IPXO
  • Your AWS account stays completely private and secure
  • You maintain full ownership and control

2. Creating a Secure "Door"

  • The QuickFormation URL creates an IAM role (a secure door) in your AWS account
  • This role has very specific permissions - only for BYOIP (Bring Your Own IP) operations
  • It's like giving someone a key that only opens one specific room, not the entire building

3. The Magic "External ID"

  • Each client gets a unique External ID (like a secret handshake)
  • This External ID is your tenant UUID - completely unique to you
  • IPXO must provide this exact ID every time it needs to access your account
  • If the ID doesn't match perfectly, access is denied

4. How IPXO Accesses Your Account

  • IPXO uses a special AWS feature called "AssumeRole"
  • This means IPXO temporarily "becomes" the secure role we created
  • But only if IPXO provides your correct External ID
  • This access expires after 1 hour for maximum security

What Can IPXO Do?

The permissions we request are very specific and limited:

EC2 BYOIP Operations

  • Add your IP addresses to AWS
  • Make your IPs available for use
  • Remove IPs when you're done
  • Check the status of your IPs

Global Accelerator BYOIP Operations

  • Use your IPs with AWS Global Accelerator service
  • Manage how your IPs are advertised globally

What IPXO Cannot Do

  • Cannot access your other AWS services
  • Cannot see your other resources (like servers, databases, etc.)
  • Cannot make changes to your account settings
  • Cannot incur unexpected costs - only BYOIP operations

Why This Is Safe

Principle of Least Privilege

  • We only ask for permissions we absolutely need
  • Nothing more, nothing less

Time-Limited Access

  • Each access session expires after 1 hour
  • IPXO must "re-authenticate" for ongoing operations

Unique Identifier

  • Your External ID ensures only IPXO can access the role
  • No other service can use this connection

Full Audit Trail

  • AWS logs all actions performed through this role
  • You can always see what IPXO did and when

The Bottom Line

This setup is industry-standard and used by major cloud services worldwide. It's designed to be:

  • Secure: Multiple layers of protection
  • Limited: Only the permissions needed for BYOIP
  • Transparent: You can monitor all activities
  • Reversible: You can delete the role anytime

You remain in complete control of your AWS account while IPXO gets just enough access to help you manage your IP addresses efficiently.

Granting permissions to IPXO

  1. Click on the QuickFormat URL you have received from the IPXO team:https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://ipxo-aws-integration-bucket.s3.us-east-1.amazonaws.com/byoip_role.yaml&stackName=IPXO-BYOIP-Integration&param_VendorAccountId=123456789012&param_ExternalId=550e8400-e29b-41d4-a716-446655440000URL contains some predefined query parameters, which will be used as inputs in the template:
    - templateURL - holds the URL of the template we use to create the needed permissions faster. It points to our public S3 bucket.
    - stackName - this is how the whole stack will be named. Stack will appear under AWS Console > CloudFormation > Stacks once created.
    - param_VendorAccountId - IPXO AWS account ID. This account will be used to act on your AWS account to perform BYOIP provisioning. It will have permissions limited to BYOIP-related actions only.
    - param_ExternalId - a shared string used to create a session to your AWS account via our AWS account.
  2. This URL will redirect you to the AWS Console. You will be prompted to sign in to your AWS account, which you want to use for BYOIP provisioning.

Note: IPXO does not handle the authentication; it’s completely on the AWS side, like any other sign-in you perform to access AWS.

  1. Once logged in, you will see our template opened via CloudFormation Stack:
  • Values 1, 2, and 3 are prefilled from our side; please do not modify them to avoid issues with the provisioning process.
  • You can browse the stack to see what permissions we are going to create. These are the minimal permissions needed to complete the whole flow of the BYOIP provisioning.
  • Once you have checked the stack, you need to check the acknowledgement marked with number 4 at the very bottom of the stack and click the “Create stack” button (number 5) to start the IAM permissions provisioning.
  1. Next, you will see that stack creation has begun:
  • You can follow the process and see what’s being created. Click on “Resources” to see what components were created. Click on “Outputs” to double-check the data.
  1. Stack status will change to green once/if stack is created successfully:
  1. You can go to IAM > Roles to check the role which has been created to ensure that permissions are correct and our AWS account is set as a trusted entity.

Revoking IPXO permissions

You can view the stack we created using the template in CloudFormation> Stacks. It will be called “IPXO-BYOIP-Integration”.

  1. If you want to delete all the created resources, delete the stack, and all the related resources will be deleted as well.
  1. However, if you delete the role, we will not be able to act on your account's behalf, and all the provisioning commands will fail.

If you decide to remove the role, please notify us to avoid confusion during the process.