AWS Application Integration Setup

Getting Started

BalkanID recommends creating a separate service account for the purposes of this integration, instead of using personal or employee named accounts.

Requirements

Option 1 - Using an IAM Role

• IAM Role ARN

Option 2 - Using an IAM User

• Access Key ID

• Secret Access Key

Getting the configuration

Option 1 - Using an IAM Role

We use an IAM User called balkan-service-user, which assumes the IAM Role provided by you, to connect to your AWS Account.

To create an IAM Role which the balkan-service-user can assume, follow the steps below.

1. Navigate to the AWS Web Console - Roles section.

2. Click "Create role":

1. Set the "Trusted entity type" to "Custom trust policy" and paste the following policy into the section below it:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowingBalkanIDServiceUser",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::015482169847:user/balkan-service-user"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

1. In the "Permissions policies" section, filter policies for IAMReadOnlyAccess and select as in image:

1. In the next section, set the IAM Role Name and Description. The IAM Role Name will be part of the IAM Role ARN. Click "Create role" to create the IAM Role.

2. Once the IAM Role is created, set the "Maximum session duration" to be 12 hours:

1. You can copy the ARN from the "ARN" section (just above "Maximum session duration" in the image above).

2. Refer to the Configure AWS in your BalkanID tenant section below to complete setup.

Option 2 - Using an IAM User

To generate an access key ID and secret access key, follow the steps below.

1. Navigate to the AWS Web Console - Users section.

2. Click “Add users”:

   
3. Add the user and ensure it has Access key - programmatic access credential type checked:

   
4. When setting the permissions, use the Attach existing policies directly option, and filter policies for IAMReadOnlyAccess and select as in image:

   
5. Click “Create User”:

   
6. Copy the Access key ID and Secret access key as below:

   

Configure AWS in your BalkanID tenant

1. Login to the BalkanID application and switch to the tenant you would like to add your integration to.

2. Head to Integrations > Add Integration, select Amazon Web Services.

   

   
3. Set up the Primary Application owner (mandatory) and the Description, if any. Set up Secondary Application Owner(s), if any.

   Select the Extraction Type. From here, you can configure your application using one of the following methods:

   1. Direct integration - Provide your Access Key ID, Secret Access Key and Role ARN obtained above to set up a direct connection with BalkanID. Note: If the Role ARN is provided, then Access Key ID and Secret Access Key need not be provided. If all three are provided, then the Role ARN is the one which will take priority and be used.

   2. SCIM integration - Provide SCIM server credentials to set up a SCIM connection with BalkanID.

   3. Manual file upload - Upload Entity and Entity Relations through a .CSV file upload. Contact the team for assistance with this.

   4. Automated upload using API - You can upload data using our Bulk APIs with the help of an API key which will be provided to you. Please refer to the entity and entity relation upload docs for specific instructions on uploading your data through the API.

   
4. Click on next to move onto Optional Configuration.

5. Fill Optional configuration, if required.

   
6. Once you filled in the information, click Save. Your integration is now configured and you will see the status of the integration displayed alongside other integrations on the Integrations page. When data is available, the integration Status will read Connected and the integration Message will read Data available.

Integration Scopes