This page explains the steps to create an Enterprise MCP user.
IAM → Roles → Add Role → Create role
2. Select Another AWS Account
3. Enter Account ID as 067319167081
4. (Optional, Recommended): Click the Check Mark against Require external ID under Options and enter a random string for External ID
5. When done Click on Next: Permissions
6. Click Next: Tags without adding any permissions, will add permissions later.
7. Add desired Tags for the Bebop Service Role and Click Next: Review
8. Enter Role name as BebopServiceRole and a Role description as desired and click Create role
9. Select the Role just created (https://console.aws.amazon.com/iam/home#/roles/BebopServiceRole) → Permissions → Add inline policy
10. Select the JSON tab and enter the following IAM Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"kms:Decrypt",
"kms:Encrypt",
"kms:RevokeGrant",
"kms:DescribeKey",
"ec2:*",
"kms:CreateGrant",
"kms:ListGrants",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "*"
}
]
}
11. Click on Review policy and enter the Name as BebopServiceRolePolicy
12. Click Create policy
13. Share the Role ARN and External ID (if created in step 2b) with Bebop Support.