> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS

> AWS (Amazon Web Services) is a comprehensive, evolving cloud computing platform provided by Amazon that includes a mixture of infrastructure as a service (IaaS), platform as a service (PaaS) and packaged software as a service (SaaS) offerings.

## Creating an AWS connection[​](#creating-an-aws-connection "Direct link to Creating an AWS connection")

### Method 1: AWS Assume Role[​](#method-1-aws-assume-role "Direct link to Method 1: AWS Assume Role")

1. In your AWS account, create a new AWS role.

2. Set up your trusted identity to allow Blink AWS account permission to assume your role, using Blink's account ID: `508219855436`. Select the **Require external ID** checkbox > Fill in the **External ID** provided in the connection creation in step 1.

   <Accordion title="Configuration in AWS screenshot">
     <img src="https://mintcdn.com/blinkops-2/4jJzHLYX9WcCQdrG/img/aws/select-trusted-identity.png?fit=max&auto=format&n=4jJzHLYX9WcCQdrG&q=85&s=0dd96c32ee3a3836ee9f7cf83d60c5a9" alt="select-trusted-identity" width="947" height="851" data-path="img/aws/select-trusted-identity.png" />
   </Accordion>

3. In the Blink platform, add the permissions required for your AWS actions.

4. Create the connection by completing the **My Connection** form, filling in the created Role's ARN.

<img src="https://mintcdn.com/blinkops-2/4jJzHLYX9WcCQdrG/img/aws/connection-creation.png?fit=max&auto=format&n=4jJzHLYX9WcCQdrG&q=85&s=ecd9f1906e6c6a695769e5d4d5f2584a" alt="connection-creation" width="549" height="653" data-path="img/aws/connection-creation.png" />

### Method 2: AWS Assume Role + Key[​](#method-2-aws-assume-role--key "Direct link to Method 2: AWS Assume Role + Key")

<img src="https://mintcdn.com/blinkops-2/4jJzHLYX9WcCQdrG/img/aws/diagram.png?fit=max&auto=format&n=4jJzHLYX9WcCQdrG&q=85&s=27319ca303b21e2707c4107c3be641e6" alt="connection-creation" width="1986" height="503" data-path="img/aws/diagram.png" />

This authentication method should be used when:

1. You prefer to connect Blink to your account using an access key (similar to [method #3](#method-3-aws-access-key)).
2. Unlike [method #3](#method-3-aws-access-key), the permissions you want to grant in Blink are not assigned directly to the access key's identity, but instead to an AWS role.

To use this option, first follow the steps in [method #3](#method-3-aws-access-key) to create an access key. Then, proceed with the steps in [method #1](#method-1-aws-assume-role) to create a role and associate it with the access key's identity.

## Advanced connection options[​](#advanced-connection-options "Direct link to Advanced connection options")

### Method 3: AWS Access Key[​](#method-3-aws-access-key "Direct link to Method 3: AWS Access Key")

To create an access key and secret access key, follow [these instructions](https://docs.aws.amazon.com/powershell/latest/userguide/pstools-appendix-sign-up.html).

### Method 4: Connection by Runner's Identity[​](#method-4-connection-by-runners-identity "Direct link to Method 4: Connection by Runner's Identity")

<Info>
  This method is only available for **self-hosted** Runner installations, and
  **not** for the Blink Cloud Runner.
</Info>

<img src="https://mintcdn.com/blinkops-2/4jJzHLYX9WcCQdrG/img/aws/diagram2.png?fit=max&auto=format&n=4jJzHLYX9WcCQdrG&q=85&s=6ece9d6ec290586180bdfa282951b6a1" alt="connection-creation" width="2210" height="560" data-path="img/aws/diagram2.png" />

You can perform authenticated AWS actions by assigning a role to a self-hosted Blink Runner.

To configure this authentication method, follow these steps:

1. If you haven't already, [install a self-hosted Blink runner](/docs/blink-platform/runners/secret-managers/hashicorp-vault) within your AWS environment.

2. Assign an AWS role to your Runner, using one of these methods:

   * For an EC2 Based Runner, [assign a role to the EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html).
   * For a K8S Based Runner, [assign the role to the pod's service account](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html).

3. In a Blink workflow, use AWS steps without specifying a particular connection (leave the connection dropdown unselected) to leverage identity-based authentication.

## Security Best Practices[​](#security-best-practices "Direct link to Security Best Practices")

<Check>
  * We advise you to periodically rotate your **AWS Access Keys** if you are choosing it as a method to establish a connection.

  - We recommend scoping the associated **IAM Policies** tightly and grant access only to required actions and resources.
</Check>