AWS Application Integration Setup
Getting Started
BalkanID recommends creating a separate service account for the purposes of this integration, instead of using personal or employee named accounts.
Requirements
Option 1 - Using an IAM Role
IAM Role ARN
Option 2 - Using an IAM User
Access Key ID
Secret Access Key
Getting the configuration
Option 1 - Using an IAM Role
We use an IAM User called balkan-service-user
, which assumes the IAM Role provided by you, to connect to your AWS Account.
To create an IAM Role which the balkan-service-user
can assume, follow the steps below.
Navigate to the AWS Web Console - Roles section.
Click "Create role":
Set the "Trusted entity type" to "Custom trust policy" and paste the following policy into the section below it:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowingBalkanIDServiceUser",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::015482169847:user/balkan-service-user"
},
"Action": "sts:AssumeRole"
}
]
}

In the "Permissions policies" section, filter policies for
IAMReadOnlyAccess
and select as in image:In the next section, set the IAM Role Name and Description. The IAM Role Name will be part of the IAM Role ARN. Click "Create role" to create the IAM Role.
Once the IAM Role is created, set the "Maximum session duration" to be 12 hours:
You can copy the ARN from the "ARN" section (just above "Maximum session duration" in the image above).
Refer to the Configure AWS in your BalkanID tenant section below to complete setup.
Option 2 - Using an IAM User
To generate an access key ID and secret access key, follow the steps below.
Navigate to the AWS Web Console - Users section.
Click “Create user”:
Provide a username and click on next.
When setting the permissions, use the
Attach existing policies directly
option, and filter policies forIAMReadOnlyAccess
and select as in image:Review the user's information and click “Create User”:
Once done, the new user will show up on the table. Click on the user to go into his profile page:


Navigate to the "Security credentials" tab. Scroll down, until you see a section called "Access Keys". You will see a section shown in the below image:

Click on "Create Access Key", select "Other" when prompted to enter use-case and click "Next".

Please provide a description for this (For Example: BalkanID access) and press "Create Access Key". You will then be taken to a page looking like the below image:

Make a note of the Access Key and Secret Access Key.
Configure AWS in your BalkanID tenant
Login to the BalkanID application and switch to the tenant you would like to add your integration to.
Head to Integrations > Add Integration, select Amazon Web Services.
Set up the Primary Application owner (mandatory) and the Description, if any. Set up Secondary Application Owner(s), if any.
Select the Extraction Type. From here, you can configure your application using one of the following methods:
Direct integration - Provide your Access Key ID, Secret Access Key and Role ARN obtained above to set up a direct connection with BalkanID. Note: If the Role ARN is provided, then Access Key ID and Secret Access Key need not be provided. If all three are provided, then the Role ARN is the one which will take priority and be used.
SCIM integration - Provide SCIM server credentials to set up a SCIM connection with BalkanID.
Manual file upload - Upload Entity and Entity Relations through a .CSV file upload. Contact the team for assistance with this.
Automated upload using API - You can upload data using our Bulk APIs with the help of an API key which will be provided to you. Please refer to the entity and entity relation upload docs for specific instructions on uploading your data through the API.
Click on next to move onto Optional Configuration.
Fill Optional configuration, if required.
Once you filled in the information, click Save. Your integration is now configured and you will see the status of the integration displayed alongside other integrations on the Integrations page. When data is available, the integration Status will read Connected and the integration Message will read Data available.
Integration Scopes
Read Only (Access Review) Scopes
Lifecycle Management Scopes
IAMReadOnlyAccess (policy)
IAMFullAccess (policy)
Last updated
Was this helpful?