AWS Application Integration Setup

Getting Started

BalkanID recommends creating a separate service account for the purposes of this integration, instead of using personal or employee named accounts.

Requirements

Option 1 - Using an IAM Role

  • IAM Role ARN

Option 2 - Using an IAM User

  • Access Key ID

  • Secret Access Key

Getting the configuration

Option 1 - Using an IAM Role

We use an IAM User called balkan-service-user, which assumes the IAM Role provided by you, to connect to your AWS Account.

To create an IAM Role which the balkan-service-user can assume, follow the steps below.

  1. Navigate to the AWS Web Console - Roles section.

  2. Click "Create role":

  3. Set the "Trusted entity type" to "Custom trust policy" and paste the following policy into the section below it:

Note: If you have a dedicated environment, the Account ID in this trust policy will be different and so you will have to reach out to [email protected] for the correct Account ID for your dedicated environment.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowingBalkanIDServiceUser",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::015482169847:user/balkan-service-user"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
  1. In the "Permissions policies" section, filter policies for IAMReadOnlyAccess and select as in image:

  2. In the next section, set the IAM Role Name and Description. The IAM Role Name will be part of the IAM Role ARN. Click "Create role" to create the IAM Role.

  3. Once the IAM Role is created, set the "Maximum session duration" to be 12 hours:

  4. You can copy the ARN from the "ARN" section (just above "Maximum session duration" in the image above).

  5. Refer to the Configure AWS in your BalkanID tenant section below to complete setup.

Option 2 - Using an IAM User

To generate an access key ID and secret access key, follow the steps below.

  1. Navigate to the AWS Web Console - Users section.

  2. Click “Create user”:

  3. Provide a username and click on next.

  4. When setting the permissions, use the Attach existing policies directly option, and filter policies for IAMReadOnlyAccess and select as in image:

  5. Review the user's information and click “Create User”:

  6. Once done, the new user will show up on the table. Click on the user to go into his profile page:

  1. Navigate to the "Security credentials" tab. Scroll down, until you see a section called "Access Keys". You will see a section shown in the below image:

  1. Click on "Create Access Key", select "Other" when prompted to enter use-case and click "Next".

  1. Please provide a description for this (For Example: BalkanID access) and press "Create Access Key". You will then be taken to a page looking like the below image:

  1. Make a note of the Access Key and Secret Access Key.

Configure AWS in your BalkanID tenant

  1. Login to the BalkanID application and switch to the tenant you would like to add your integration to.

  2. Head to Integrations > Add Integration, select Amazon Web Services.

  3. Set up the Primary Application owner (mandatory) and the Description, if any. Set up Secondary Application Owner(s), if any.

    Select the Extraction Type. From here, you can configure your application using one of the following methods:

    1. Direct integration - Provide your Access Key ID, Secret Access Key and Role ARN obtained above to set up a direct connection with BalkanID. Note: If the Role ARN is provided, then Access Key ID and Secret Access Key need not be provided. If all three are provided, then the Role ARN is the one which will take priority and be used.

    2. SCIM integration - Provide SCIM server credentials to set up a SCIM connection with BalkanID.

    3. Manual file upload - Upload Entity and Entity Relations through a .CSV file upload. Contact the team for assistance with this.

    4. Automated upload using API - You can upload data using our Bulk APIs with the help of an API key which will be provided to you. Please refer to the entity and entity relation upload docs for specific instructions on uploading your data through the API.

  4. Click on next to move onto Optional Configuration.

  5. Fill Optional configuration, if required.

  6. Once you filled in the information, click Save. Your integration is now configured and you will see the status of the integration displayed alongside other integrations on the Integrations page. When data is available, the integration Status will read Connected and the integration Message will read Data available.

Integration Scopes

Read Only (Access Review) Scopes

Lifecycle Management Scopes

IAMReadOnlyAccess (policy)

IAMFullAccess (policy)

Last updated

Was this helpful?