Skip to main content

AWS type

Introduction

Using Tines to automate interaction with AWS services requires the use of an AWS credential. When a HTTP Request Action with an AWS mode credential runs, Tines will authorize the request AWS using the Signature Version 4 Signing Process and include the corresponding headers in the request.

Creating an AWS credential

Role-based access

AWS recommends using roles for cross account access - e.g. to allow Tines to access resources in your AWS account. To create a Role-based access AWS credential in Tines, you'll also need to create and correctly configure a Role in your AWS account. The following three steps will get you up and running. For more information, see the AWS tutorial.

Step 1: Create your AWS Credential in Tines

Create a new Credential in Tines. Set the "type" to "AWS", the "Authentication type" to "Role-based access" and enter a name (and, optionally, a description).

Create Role Based AWS Credential

Once you click "Save credential", you'll be presented with an Account ID and External ID:

View AWS Credential Account ID and External ID

You'll need these values in the next step.

Step 2: Create your Role in AWS

From the Identity and Access Management (IAM) section of the AWS console, navigate to "Roles" and click on "Create role":

Create a Role in AWS

For "Trusted entity type", select "AWS account". Select "Another AWS account" and enter the Account ID from step 1. Check "Require external ID" and enter the External ID from step 1.

Populate Account ID and External ID for a Role in AWS

important

To correctly secure access to your account you must configure the External ID that Tines has generated for your Credential. See this AWS documentation for more.

Complete the "Add permissions" and "Name, review and create" steps to finish creating your Role.

Step 3: Add your Role's ARN to your Tines Credential

In the AWS console, open the Role you just created and copy the ARN:

Copy Role ARN

Paste it into the Role ARN field of your Credential in Tines and click "Save credential":

Add Role ARN to Tines Credential

Key-based access

important

AWS discourages the use of long-term access keys in 3rd party tools. Please consider using a role-based access AWS credential instead.

Enter the following information in the AWS New Credential page:

If you want to assume a role before performing the action, you can set values for the following fields.

  • Assumed Role ARN: The ARN of the role you wish to assume, e.g.: arn:aws:iam::123456789012:role/write-access-role

Tines will request a session with the minimum duration (15 minutes).

Using an AWS credential with a HTTP Request Action

To use an AWS credential with a HTTP Request action, include the corresponding credential widget in the action's Authorization header.

Sample AWS HTTP Request Actions

Scan a DynamoDB Table

{
"url": "https://dynamodb.eu-west-1.amazonaws.com",
"method": "post",
"content_type": "json",
"payload": {
"TableName": "TestTable",
"AttributesToGet": ["Id"]
},
"headers": {
"Authorization": "{{ .CREDENTIAL.aws_dynamo_db }}",
"X-Amz-Target": "DynamoDB_20120810.Scan"
}
}

List Cloudtrails

{
"url": "https://cloudtrail.us-east-1.amazonaws.com",
"method": "get",
"content_type": "form",
"payload": {
"Action": "DescribeTrails",
"Version": "2013-11-01"
},
"headers": {
"Authorization": "{{ .CREDENTIAL.aws_cloudtrail }}"
}
}

List IAM Users

{
"url": "https://iam.amazonaws.com",
"content_type": "form",
"method": "get",
"payload": {
"Action": "ListUsers",
"Version": "2010-05-08"
},
"headers": {
"Authorization": "{{ .CREDENTIAL.aws_iam }}"
}
}