From 0d313bc6ecf4d0bbaa39b71cf4608f323547029e Mon Sep 17 00:00:00 2001 From: jwafu Date: Fri, 19 Jun 2026 12:37:55 -0400 Subject: [PATCH 1/4] fix(aws-docs): tell users to find org ID from Open AWS Console URL --- integrations/aws.mdx | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/integrations/aws.mdx b/integrations/aws.mdx index 2120c24..6c493f4 100644 --- a/integrations/aws.mdx +++ b/integrations/aws.mdx @@ -43,7 +43,9 @@ You can connect multiple AWS accounts — each gets its own label and isolated M Use this if the one-click CloudFormation link shows "Access Denied". The template below creates the same IAM resources. -1. Download the CloudFormation template. It creates an OIDC provider and a cross-account IAM role that trusts Tembo's issuer, scoped to your org ID. +1. **Find your org ID.** In the connect modal, click **Open AWS Console**. Before the AWS page loads, copy the `param_TemboOrgId` value from the URL — it looks like `org_2vyf1Ja...`. You'll need this in step 4. + +2. Download the CloudFormation template. It creates an OIDC provider and a cross-account IAM role that trusts Tembo's issuer, scoped to your org ID.
@@ -58,7 +60,7 @@ Use this if the one-click CloudFormation link shows "Access Denied". The templat "Parameters": { "TemboOrgId": { "Type": "String", - "Description": "Your Tembo organization ID (shown in the connect modal)", + "Description": "Your Tembo organization ID (copy param_TemboOrgId from the Open AWS Console URL)", "MinLength": 1 } }, @@ -110,10 +112,10 @@ Use this if the one-click CloudFormation link shows "Access Denied". The templat **Self-hosted Tembo:** replace both occurrences of `app.tembo.io` with your instance's public hostname (the value of `TEMBO_OIDC_ISSUER` in your config). -2. In the [AWS CloudFormation console](https://console.aws.amazon.com/cloudformation), click **Create stack → With new resources**. -3. Choose **Upload a template file** and upload `tembo-identity.json`. -4. Enter your **Tembo organization ID** when prompted (visible in the connect modal). -5. Deploy the stack. When it completes, open the **Outputs** tab and copy the `RoleArn` value. +3. In the [AWS CloudFormation console](https://console.aws.amazon.com/cloudformation), click **Create stack → With new resources**. +4. Choose **Upload a template file** and upload `tembo-identity.json`. +5. Enter the **Tembo organization ID** you copied in step 1 when prompted. +6. Deploy the stack. When it completes, open the **Outputs** tab and copy the `RoleArn` value. 6. Back in Tembo, switch to **Enter ARN manually** and paste the ARN. Click **Connect**. ## How authentication works @@ -133,7 +135,7 @@ Tembo never stores AWS credentials. For each agent run: - Confirm the OIDC provider URL in your CloudFormation stack matches your Tembo instance exactly (including protocol, no trailing slash). For hosted Tembo this is `https://app.tembo.io`. Check that the `TemboOrgId` parameter matches the organization ID shown in the Tembo connect modal. + Confirm the OIDC provider URL in your CloudFormation stack matches your Tembo instance exactly (including protocol, no trailing slash). For hosted Tembo this is `https://app.tembo.io`. Check that the `TemboOrgId` parameter matches the organization ID from the `param_TemboOrgId` value in the Open AWS Console URL. From 0ce12eeca675bf10504bba9c301e67edbf943cea Mon Sep 17 00:00:00 2001 From: jwafu Date: Fri, 19 Jun 2026 12:41:49 -0400 Subject: [PATCH 2/4] fix(aws-docs): link tembo-identity.json directly to S3 bucket --- integrations/aws.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integrations/aws.mdx b/integrations/aws.mdx index 6c493f4..7338fe8 100644 --- a/integrations/aws.mdx +++ b/integrations/aws.mdx @@ -48,7 +48,7 @@ Use this if the one-click CloudFormation link shows "Access Denied". The templat 2. Download the CloudFormation template. It creates an OIDC provider and a cross-account IAM role that trusts Tembo's issuer, scoped to your org ID.
- +
From a591edb6b2f1f7b4468df5d48ed6f4d25f81d7a5 Mon Sep 17 00:00:00 2001 From: jwafu Date: Fri, 19 Jun 2026 12:45:18 -0400 Subject: [PATCH 3/4] fix(aws-docs): update tembo-identity.json parameter description to reference URL source --- files/tembo-identity.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/tembo-identity.json b/files/tembo-identity.json index 538da6d..1da37a2 100644 --- a/files/tembo-identity.json +++ b/files/tembo-identity.json @@ -4,7 +4,7 @@ "Parameters": { "TemboOrgId": { "Type": "String", - "Description": "Your Tembo organization ID (shown in the connect modal)", + "Description": "Your Tembo organization ID — click 'Open AWS Console' in the Tembo connect modal and copy the param_TemboOrgId value from the URL", "MinLength": 1 } }, From 36480b97837891cde9633efd6adb75dba9b22554 Mon Sep 17 00:00:00 2001 From: jwaf <55861512+jwafu@users.noreply.github.com> Date: Fri, 19 Jun 2026 12:50:23 -0400 Subject: [PATCH 4/4] Update integrations/aws.mdx Co-authored-by: tembo[bot] <208362400+tembo[bot]@users.noreply.github.com> --- integrations/aws.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integrations/aws.mdx b/integrations/aws.mdx index 7338fe8..baee390 100644 --- a/integrations/aws.mdx +++ b/integrations/aws.mdx @@ -116,7 +116,7 @@ Use this if the one-click CloudFormation link shows "Access Denied". The templat 4. Choose **Upload a template file** and upload `tembo-identity.json`. 5. Enter the **Tembo organization ID** you copied in step 1 when prompted. 6. Deploy the stack. When it completes, open the **Outputs** tab and copy the `RoleArn` value. -6. Back in Tembo, switch to **Enter ARN manually** and paste the ARN. Click **Connect**. +7. Back in Tembo, switch to **Enter ARN manually** and paste the ARN. Click **Connect**. ## How authentication works