diff --git a/files/tembo-identity.json b/files/tembo-identity.json
index 538da6d..1da37a2 100644
--- a/files/tembo-identity.json
+++ b/files/tembo-identity.json
@@ -4,7 +4,7 @@
"Parameters": {
"TemboOrgId": {
"Type": "String",
- "Description": "Your Tembo organization ID (shown in the connect modal)",
+ "Description": "Your Tembo organization ID — click 'Open AWS Console' in the Tembo connect modal and copy the param_TemboOrgId value from the URL",
"MinLength": 1
}
},
diff --git a/integrations/aws.mdx b/integrations/aws.mdx
index 2120c24..baee390 100644
--- a/integrations/aws.mdx
+++ b/integrations/aws.mdx
@@ -43,10 +43,12 @@ You can connect multiple AWS accounts — each gets its own label and isolated M
Use this if the one-click CloudFormation link shows "Access Denied". The template below creates the same IAM resources.
-1. Download the CloudFormation template. It creates an OIDC provider and a cross-account IAM role that trusts Tembo's issuer, scoped to your org ID.
+1. **Find your org ID.** In the connect modal, click **Open AWS Console**. Before the AWS page loads, copy the `param_TemboOrgId` value from the URL — it looks like `org_2vyf1Ja...`. You'll need this in step 4.
+
+2. Download the CloudFormation template. It creates an OIDC provider and a cross-account IAM role that trusts Tembo's issuer, scoped to your org ID.
@@ -58,7 +60,7 @@ Use this if the one-click CloudFormation link shows "Access Denied". The templat
"Parameters": {
"TemboOrgId": {
"Type": "String",
- "Description": "Your Tembo organization ID (shown in the connect modal)",
+ "Description": "Your Tembo organization ID (copy param_TemboOrgId from the Open AWS Console URL)",
"MinLength": 1
}
},
@@ -110,11 +112,11 @@ Use this if the one-click CloudFormation link shows "Access Denied". The templat
**Self-hosted Tembo:** replace both occurrences of `app.tembo.io` with your instance's public hostname (the value of `TEMBO_OIDC_ISSUER` in your config).
-2. In the [AWS CloudFormation console](https://console.aws.amazon.com/cloudformation), click **Create stack → With new resources**.
-3. Choose **Upload a template file** and upload `tembo-identity.json`.
-4. Enter your **Tembo organization ID** when prompted (visible in the connect modal).
-5. Deploy the stack. When it completes, open the **Outputs** tab and copy the `RoleArn` value.
-6. Back in Tembo, switch to **Enter ARN manually** and paste the ARN. Click **Connect**.
+3. In the [AWS CloudFormation console](https://console.aws.amazon.com/cloudformation), click **Create stack → With new resources**.
+4. Choose **Upload a template file** and upload `tembo-identity.json`.
+5. Enter the **Tembo organization ID** you copied in step 1 when prompted.
+6. Deploy the stack. When it completes, open the **Outputs** tab and copy the `RoleArn` value.
+7. Back in Tembo, switch to **Enter ARN manually** and paste the ARN. Click **Connect**.
## How authentication works
@@ -133,7 +135,7 @@ Tembo never stores AWS credentials. For each agent run:
- Confirm the OIDC provider URL in your CloudFormation stack matches your Tembo instance exactly (including protocol, no trailing slash). For hosted Tembo this is `https://app.tembo.io`. Check that the `TemboOrgId` parameter matches the organization ID shown in the Tembo connect modal.
+ Confirm the OIDC provider URL in your CloudFormation stack matches your Tembo instance exactly (including protocol, no trailing slash). For hosted Tembo this is `https://app.tembo.io`. Check that the `TemboOrgId` parameter matches the organization ID from the `param_TemboOrgId` value in the Open AWS Console URL.