# AWS Identity Center Integration Setup

### Getting Started <a href="#h_01hkr1f9w1x301w5bd6d96k5qc" id="h_01hkr1f9w1x301w5bd6d96k5qc"></a>

The following fields are required from AWS Identity Center:

#### Requirements <a href="#h_01hq2keprp9cmqqvw4mb7gkdha" id="h_01hq2keprp9cmqqvw4mb7gkdha"></a>

**Option 1 - Using an IAM Role**

* ***IAM Role ARN***
* ***AWS Region***

**Option 2 - Using an IAM User**

* ***Access Key ID***
* ***Secret Access Key***
* ***AWS Region***

#### Option 1: Using Role ARN <a href="#h_01hkr1hfm8mztsa1kvq5g8yzft" id="h_01hkr1hfm8mztsa1kvq5g8yzft"></a>

We use an IAM User called `balkan-service-user`, which assumes the IAM Role provided by you, to connect to your AWS Account.

To create an IAM Role which the `balkan-service-user` can assume, follow the steps below.

1. Navigate to the [AWS Web Console - Roles](https://us-east-1.console.aws.amazon.com/iam/home#/roles) section.
2. Click "Create role":<br>

   <figure><img src="/files/mmQLXcwLkTaUgZc9DH55" alt=""><figcaption></figcaption></figure>
3. Set the "Trusted entity type" to "Custom trust policy" and paste the following policy into the section below it:

{% hint style="info" %}
**Note:** If you have a dedicated environment, the Account ID in this trust policy will be different and so you will have to reach out to <support@balkan.id> for the correct Account ID for your dedicated environment.
{% endhint %}

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowingBalkanIDServiceUser",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::015482169847:user/balkan-service-user"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```

<figure><img src="/files/Gmx4H7buRNZReKubbhT2" alt=""><figcaption></figcaption></figure>

4. In the "Permissions policies" section, select the following policies:
   1. &#x20;`IAMReadOnlyAccess`&#x20;
   2. `AWSSSOReadOnly`
   3. `AWSSSODirectoryReadOnly`&#x20;

      <div data-with-frame="true"><figure><img src="/files/5KUrwWMzTFahDEwTc8AM" alt=""><figcaption></figcaption></figure></div>
5. In the next section, set the IAM Role Name and Description. The IAM Role Name will be part of the IAM Role ARN. Click "Create role" to create the IAM Role.
6. Once the IAM Role is created, set the "Maximum session duration" to be 12 hours:<br>

   <figure><img src="/files/CvucSf0GYGyNcNi9CiIn" alt=""><figcaption></figcaption></figure>
7. You can copy the ARN from the "ARN" section (just above "Maximum session duration" in the image above).
8. Refer to the [Configure AWS Identity Center in your BalkanID tenant](https://docs.balkan.id/getting-started/setting-up-your-tenant/application-integrations/direct-application-integration/aws-identity-center-integration-setup#h_01hkr26j1kk0nypd601qv5t424) section below to complete setup.

#### Option 2: Getting the Access Key and Secret Access Key <a href="#h_01hkr1hfm8mztsa1kvq5g8yzft" id="h_01hkr1hfm8mztsa1kvq5g8yzft"></a>

1. Login to your AWS Console.
2. Select "*Security Credentials*" on the dropdown when you hover over your user email on the top-right.
3. Scroll down, until you see a section called "*Access Keys*". You will see a section shown in the below image:<br>

   <figure><img src="/files/qbOc7KgNL107SCiogvG4" alt=""><figcaption></figcaption></figure>
4. Click on "*Create Access Key*", select "*Other*" when prompted to enter use-case and click "N*ext*".<br>

   <figure><img src="/files/hktHFsGlY7d9hDFZvJtN" alt=""><figcaption></figcaption></figure>
5. Please provide a description for this (**For** **Example**: BalkanID access) and press "*Create Access Key*". You will then be taken to a page looking like the below image:<br>

   <figure><img src="/files/NC1pw1mTQtbKSFWjyZlc" alt=""><figcaption></figcaption></figure>
6. Make a note of the **Access Key** and **Secret Access Key**. Your Region will be the AWS Region in which your AWS Identity Center is configured. To find out which region, please click on the *region name* beside your email on the top right corner of the screen, and copy the code. For example, the region in the screenshot below is "*us-east-1*".<br>

   <figure><img src="/files/ZzqjEbLDORYuzUVkYfM4" alt=""><figcaption></figcaption></figure>

#### Authentication <a href="#h_01hkr21b7htf3g0jr5m5bk2v96" id="h_01hkr21b7htf3g0jr5m5bk2v96"></a>

**Access Key** is used for authentication. The authenticated IAM User needs to have access to the Identity Center for the integration to work correctly. The IAM User needs to have the following policies attached to it:

<figure><img src="/files/cAPmk6wcY7KUVzkAjhvk" alt=""><figcaption></figcaption></figure>

<details>

<summary>View last access time for applications and last login time for users </summary>

To enable BalkanID to retrieve information about the last access time for applications and the last login times for users, your assigned user's permissions policy must include the `cloudTrail:LookupEvents` permission.

Please follow these steps to create and assign a policy with the necessary permission:

1. **Navigate to IAM Policies:** \
   Go to the AWS Management Console, then navigate to IAM > Policies. Click on the "Create policy" button located on the right-hand side of the page.

<figure><img src="/files/WNWC5xrpg1ZPNUgmy8Uw" alt=""><figcaption><p><em>Locate and click "Create policy" within the IAM Policies section</em></p></figcaption></figure>

2. **Select the** `CloudTrail` **Service:**\
   On the "Create policy" page, select CloudTrail from the list of services under the "Specify permissions" section.

<figure><img src="/files/SAddz5lb8PSimgVjunIN" alt=""><figcaption><p>Choose "CloudTrail" from the service list to configure its permissions</p></figcaption></figure>

3. Enable `LookupEvents` Permission: \
   Within the CloudTrail permissions, expand the "Read" section and select the `LookupEvents` permission. Ensure the checkbox next to it is enabled.

<figure><img src="/files/Ff7CFj42lf6l4AnZa86t" alt=""><figcaption><p>Select and enable the <code>LookupEvents</code> permission for CloudTrail</p></figcaption></figure>

4. **Define Policy Name and Description:**\
   Review the policy, then define a clear and descriptive Policy name. You may also add an optional description to provide more context for the policy's purpose. Click "Create policy" to finalize.

<figure><img src="/files/KquNLpH3I0gKCAVBXPTC" alt=""><figcaption><p>Enter a policy name and an optional description before creating the policy</p></figcaption></figure>

5. **Assign the Policy to Your User**:\
   Once this policy is successfully created, you must attach it to the IAM user that BalkanID uses to interact with your AWS environment. This will grant BalkanID the necessary permissions to extract last access and last login information.

</details>

### Configuring AWS Identity Center on BalkanID Tenant <a href="#h_01hkr26j1kk0nypd601qv5t424" id="h_01hkr26j1kk0nypd601qv5t424"></a>

1. Login to the BalkanID application and switch to the tenant you would like to add your integration to.
2. Head to *Integrations* > **Add Integration**, select **AWS Identity Center.**<br>

   <figure><img src="/files/vlgVZbttJhZGUGXJsC0z" alt=""><figcaption></figcaption></figure>

   <figure><img src="/files/8C7K6E97gATZZrzuE6Mr" alt=""><figcaption></figcaption></figure>
3. Set up the *Primary Application owner (mandatory)* and the *Description*, if any. Set up Secondary Application Owner(s), if any. \ <br>

   Select the Extraction Type. From here, you can configure your application using one of the following methods:

   1. **Direct integration** - Provide your Access Key, Secret Access Key and Region obtained above to set up a direct connection with BalkanID.
   2. **SCIM integration** - Provide SCIM server credentials to set up a SCIM connection with BalkanID.&#x20;
   3. **Manual file upload** - Upload Entity and Entity Relations through a .CSV file upload. Contact the team for assistance with this. &#x20;
   4. **Automated upload using API -** You can upload data using our [Bulk APIs](https://developer.balkan.id/) with the help of an API key which will be provided to you. Please refer to the [entity](https://developer.balkan.id/bulk-entities-upload-api-early-access-12828095e0) and [entity relation](https://developer.balkan.id/bulk-entity-relations-upload-api-early-access-12828102e0) upload docs for specific instructions on uploading your data through the API.&#x20;

   <figure><img src="/files/n9OHRckGqoaSeP5gzl2K" alt="" width="563"><figcaption></figcaption></figure>
4. Click on next to move onto *Optional Configuration.*
5. Fill **Optional configuration,** if required.  <br>

   <figure><img src="/files/2iMIYnm3GDQoGy4sXunK" alt="" width="563"><figcaption></figcaption></figure>
6. Once you filled in the information, click **Save**. Your integration is now configured and you will see the status of the integration displayed alongside other integrations on the *Integrations* page. When data is available, the integration Status will read **Connected** and the integration Message will read **Data available**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.balkan.id/getting-started/setting-up-your-tenant/application-integrations/direct-application-integration/aws-identity-center-integration-setup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.