# AWS Application Integration Setup
### Getting Started
BalkanID recommends creating a separate service account for the purposes of this integration, instead of using personal or employee named accounts.
#### Requirements
**Option 1 - Using an IAM Role**
* ***IAM Role ARN***
**Option 2 - Using an IAM User**
* ***Access Key ID***
* ***Secret Access Key***
#### Getting the configuration
**Option 1 - Using an IAM Role**
We use an IAM User called `balkan-service-user`, which assumes the IAM Role provided by you, to connect to your AWS Account.
To create an IAM Role which the `balkan-service-user` can assume, follow the steps below.
1. Navigate to the [AWS Web Console - Roles](https://us-east-1.console.aws.amazon.com/iam/home#/roles) section.
2. Click "Create role":
3. Set the "Trusted entity type" to "Custom trust policy" and paste the following policy into the section below it:
{% hint style="info" %}
**Note:** If you have a dedicated environment, the Account ID in this trust policy will be different and so you will have to reach out to for the correct Account ID for your dedicated environment.
{% endhint %}
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowingBalkanIDServiceUser",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::015482169847:user/balkan-service-user"
},
"Action": "sts:AssumeRole"
}
]
}
```
4. In the "Permissions policies" section, filter policies for `IAMReadOnlyAccess` and select as in image:
5. In the next section, set the IAM Role Name and Description. The IAM Role Name will be part of the IAM Role ARN. Click "Create role" to create the IAM Role.
6. Once the IAM Role is created, set the "Maximum session duration" to be 12 hours:
7. You can copy the ARN from the "ARN" section (just above "Maximum session duration" in the image above).
8. Refer to the [Configure AWS in your BalkanID tenant](https://docs.balkan.id/configurations-and-integrations/direct-application-integrations/aws-application-integration-setup#h_01hph1r4emybbss8cnq95442gv) section below to complete setup.
**Option 2 - Using an IAM User**
To generate an access key ID and secret access key, follow the steps below.
1. Navigate to the [AWS Web Console - Users](https://console.aws.amazon.com/iamv2/home#/users) section.
2. Click “Create user”:
3. Provide a username and click on next.
4. When setting the permissions, use the `Attach existing policies directly` option, and filter policies for `IAMReadOnlyAccess` and select as in image:
5. Review the user's information and click “Create User”:
6. Once done, the new user will show up on the table. Click on the user to go into his profile page:
7. Navigate to the "Security credentials" tab. Scroll down, until you see a section called "*Access Keys*". You will see a section shown in the below image:
8. Click on "*Create Access Key*", select "*Other*" when prompted to enter use-case and click "N*ext*".
9. Please provide a description for this (**For** **Example**: BalkanID access) and press "*Create Access Key*". You will then be taken to a page looking like the below image:
10. Make a note of the **Access Key** and **Secret Access Key**.
### Configure AWS in your BalkanID tenant
1. Login to the BalkanID application and switch to the tenant you would like to add your integration to.
2. Head to *Integrations* > **Add Integration**, select **Amazon Web Services.**
3. Set up the *Primary Application owner (mandatory)* and the *Description*, if any. Set up Secondary Application Owner(s), if any.
Select the Extraction Type. From here, you can configure your application using one of the following methods:
1. **Direct integration** - Provide your Access Key ID, Secret Access Key and Role ARN obtained above to set up a direct connection with BalkanID.\
\
**Note:** If the Role ARN is provided, then Access Key ID and Secret Access Key need not be provided. If all three are provided, then the Role ARN is the one which will take priority and be used.
2. **SCIM integration** - Provide SCIM server credentials to set up a SCIM connection with BalkanID.
3. **Manual file upload** - Upload Entity and Entity Relations through a .CSV file upload. Contact the team for assistance with this.
4. **Automated upload using API -** You can upload data using our [Bulk APIs](https://developer.balkan.id/) with the help of an API key which will be provided to you. Please refer to the [entity](https://developer.balkan.id/bulk-entities-upload-api-early-access-12828095e0) and [entity relation](https://developer.balkan.id/bulk-entity-relations-upload-api-early-access-12828102e0) upload docs for specific instructions on uploading your data through the API.
4. Click on next to move onto *Optional Configuration.*
5. Fill **Optional configuration,** if required.
6. Once you filled in the information, click **Save**. Your integration is now configured and you will see the status of the integration displayed alongside other integrations on the *Integrations* page. When data is available, the integration Status will read **Connected** and the integration Message will read **Data available**.
### Integration Scopes
| **Read Only (Access Review) Scopes** | **Lifecycle Management Scopes** |
| ------------------------------------ | ------------------------------- |
| IAMReadOnlyAccess (policy) | IAMFullAccess (policy) |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.balkan.id/getting-started/setting-up-your-tenant/application-integrations/direct-application-integration/aws-application-integration-setup.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.