docs/integrations/app-connections/aws.mdx
Infisical supports two methods for connecting to AWS.
<Tabs> <Tab title="Assume Role (Recommended)"> Infisical will assume the provided role in your AWS account securely, without the need to share any credentials. <Accordion title="Self-Hosted Instance">
To connect your self-hosted Infisical instance with AWS, you need to set up an AWS IAM User account that can assume the configured AWS IAM Role.
<Note>
If your Infisical instance is deployed on AWS (e.g. EC2, ECS, or EKS), you do not need to provide static credentials. When the `INF_APP_CONNECTION_AWS_ACCESS_KEY_ID` and `INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY` environment variables are not set, Infisical will automatically retrieve credentials from your instance's environment (instance profile, task role, or IRSA). Simply ensure that the IAM role attached to your compute has the permission policy below to assume your target roles.
</Note>
The following steps are for instances **not** deployed on AWS:
<Steps>
<Step title="Create an IAM User">
Navigate to [Create IAM User](https://console.aws.amazon.com/iamv2/home#/users/create) in your AWS Console.
</Step>
<Step title="Create an Inline Policy">
Attach the following inline permission policy to the IAM User to allow it to assume any IAM Roles:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeAnyRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/*"
}
]
}
```
</Step>
<Step title="Obtain the IAM User Credentials">
Obtain the AWS access key ID and secret access key for your IAM User by navigating to **IAM > Users > [Your User] > Security credentials > Access keys**.
</Step>
<Step title="Set Up Connection Keys">
1. Set the access key as **INF_APP_CONNECTION_AWS_ACCESS_KEY_ID**.
2. Set the secret key as **INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY**.
</Step>
</Steps>
</Accordion>
<Steps>
<Step title="Create the Managing User IAM Role for Infisical">
1. Navigate to the [Create IAM Role](https://console.aws.amazon.com/iamv2/home#/roles/create?step=selectEntities) page in your AWS Console.
2. Select **AWS Account** as the **Trusted Entity Type**.
3. Select **Another AWS Account** and provide the appropriate Infisical AWS Account ID: use **381492033652** for the **US region**, and **345594589636** for the **EU region**. This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead.
<Note>
**For Dedicated Instances**: Your AWS account ID differs from the one provided above. Please reach out to Infisical support to obtain your AWS account ID.
</Note>
4. (Recommended) <strong>Enable "Require external ID"</strong> and input your **Organization ID** to strengthen security and mitigate the [confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html).
<Warning type="warning" title="Security Best Practice: Use External ID to Prevent Confused Deputy Attacks">
When configuring an IAM Role that Infisical will assume, it’s highly recommended to enable the **"Require external ID"** option and specify your **Organization ID**.
This precaution helps protect your AWS account against the [confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html), a potential security vulnerability where Infisical could be tricked into performing actions on your behalf by an unauthorized actor.
<strong>Always enable "Require external ID" and use your Organization ID when setting up the IAM Role.</strong>
</Warning>
</Step>
<Step title="Add Required Permissions to the IAM Role">
Navigate to your IAM role permissions and click **Create Inline Policy**.
Depending on your use case, add one or more of the following policies to your IAM Role:
<Tabs>
<Tab title="Secret Sync">
<AccordionGroup>
<Accordion title="AWS Secrets Manager">
Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Secrets Manager:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSecretsManagerAccess",
"Effect": "Allow",
"Action": [
"secretsmanager:ListSecrets",
"secretsmanager:GetSecretValue",
"secretsmanager:BatchGetSecretValue",
"secretsmanager:CreateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:TagResource",
"secretsmanager:UntagResource",
"kms:ListAliases", // if you need to specify the KMS key
"kms:Encrypt", // if you need to specify the KMS key
"kms:Decrypt", // if you need to specify the KMS key
"kms:DescribeKey" // if you need to specify the KMS key
],
"Resource": "*"
}
]
}
```
<Note>If using a custom KMS key, be sure to add the IAM user or role as a key user. </Note>
</Accordion>
<Accordion title="AWS Parameter Store">
Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Parameter Store:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSMAccess",
"Effect": "Allow",
"Action": [
"ssm:PutParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath",
"ssm:DescribeParameters",
"ssm:DeleteParameters",
"ssm:ListTagsForResource", // if you need to add tags to secrets
"ssm:AddTagsToResource", // if you need to add tags to secrets
"ssm:RemoveTagsFromResource", // if you need to add tags to secrets
"kms:ListAliases", // if you need to specify the KMS key
"kms:Encrypt", // if you need to specify the KMS key
"kms:Decrypt", // if you need to specify the KMS key
"kms:DescribeKey" // if you need to specify the KMS key
],
"Resource": "*"
}
]
}
```
<Note>If using a custom KMS key, be sure to add the IAM user or role as a key user. </Note>
</Accordion>
</AccordionGroup>
</Tab>
<Tab title="Secret Rotation">
<AccordionGroup>
<Accordion title="AWS IAM">
Use the following custom policy to grant the minimum permissions required by Infisical to rotate secrets to AWS Access Keys:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListAccessKeys",
"iam:CreateAccessKey",
"iam:UpdateAccessKey",
"iam:DeleteAccessKey",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
```
</Accordion>
</AccordionGroup>
</Tab>
<Tab title="PKI Sync">
<AccordionGroup>
<Accordion title="AWS Certificate Manager">
Use the following custom policy to grant the minimum permissions required by Infisical to sync certificates to AWS Certificate Manager:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCertificateManagerAccess",
"Effect": "Allow",
"Action": [
"acm:ListCertificates",
"acm:DescribeCertificate",
"acm:GetCertificate",
"acm:ImportCertificate",
"acm:ExportCertificate",
"acm:DeleteCertificate",
"acm:AddTagsToCertificate",
"acm:RemoveTagsFromCertificate",
"acm:ListTagsForCertificate"
],
"Resource": "*"
}
]
}
```
<Note>
- **ListCertificates**: Lists all certificates in the account
- **ImportCertificate**: Imports certificates from Infisical into AWS Certificate Manager
- **ExportCertificate**: Exports certificates for synchronization
- **DeleteCertificate**: Removes certificates that are no longer managed by Infisical
- **DescribeCertificate** and **GetCertificate**: Retrieves certificate details for comparison during sync
- Tag-related permissions: Manages certificate tags for identification and organization
</Note>
</Accordion>
<Accordion title="AWS Elastic Load Balancer">
Use the following custom policy to grant the minimum permissions required by Infisical to sync certificates to AWS Elastic Load Balancers:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCertificateManagerAccess",
"Effect": "Allow",
"Action": [
"acm:ListCertificates",
"acm:DescribeCertificate",
"acm:ImportCertificate",
"acm:DeleteCertificate",
"acm:ListTagsForCertificate"
],
"Resource": "*"
},
{
"Sid": "AllowElasticLoadBalancerAccess",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:ModifyListener"
],
"Resource": "*"
}
]
}
```
<Note>
**ACM Permissions:**
- **ListCertificates**: Lists all certificates in the account
- **ImportCertificate**: Imports certificates from Infisical into AWS Certificate Manager
- **DeleteCertificate**: Removes certificates that are no longer managed by Infisical
- **DescribeCertificate**: Retrieves certificate details for comparison during sync
- **ListTagsForCertificate**: Retrieves certificate tags for identification
**ELB Permissions:**
- **DescribeLoadBalancers**: Lists available load balancers for selection
- **DescribeListeners**: Lists HTTPS/TLS listeners on load balancers
- **DescribeListenerCertificates**: Lists certificates attached to listeners
- **AddListenerCertificates**: Attaches certificates to listeners
- **RemoveListenerCertificates**: Removes certificates from listeners
- **ModifyListener**: Sets the default certificate on listeners
</Note>
</Accordion>
</AccordionGroup>
</Tab>
<Tab title="External Certificate Authority">
<AccordionGroup>
<Accordion title="AWS Private CA">
Use the following custom policy to grant the minimum permissions required by Infisical to issue certificates via AWS Private CA.
For a **single CA**, scope the `Resource` to that CA's ARN:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAwsPrivateCAAccess",
"Effect": "Allow",
"Action": [
"acm-pca:DescribeCertificateAuthority",
"acm-pca:GetCertificateAuthorityCertificate",
"acm-pca:IssueCertificate",
"acm-pca:GetCertificate",
"acm-pca:RevokeCertificate"
],
"Resource": "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/your-ca-id"
}
]
}
```
For **multiple CAs**, list each ARN in the `Resource` array:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAwsPrivateCAAccess",
"Effect": "Allow",
"Action": [
"acm-pca:DescribeCertificateAuthority",
"acm-pca:GetCertificateAuthorityCertificate",
"acm-pca:IssueCertificate",
"acm-pca:GetCertificate",
"acm-pca:RevokeCertificate"
],
"Resource": [
"arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/ca-id-1",
"arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/ca-id-2"
]
}
]
}
```
<Note>
- **DescribeCertificateAuthority**: Validates the CA status and configuration
- **GetCertificateAuthorityCertificate**: Retrieves the CA certificate and chain
- **IssueCertificate**: Issues certificates from the private CA
- **GetCertificate**: Retrieves issued certificates
- **RevokeCertificate**: Revokes previously issued certificates
Using a specific CA ARN in `Resource` is recommended over `"*"` to follow the principle of least privilege.
</Note>
</Accordion>
<Accordion title="AWS ACM Public CA">
Use the following custom policy to grant the minimum permissions required by Infisical to issue publicly-trusted certificates via AWS Certificate Manager and perform DNS validation through Route 53.
**ACM permissions** — `RequestCertificate` cannot be scoped below `"*"` because the certificate ARN does not exist until after the call succeeds:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAcmPublicCaAccess",
"Effect": "Allow",
"Action": [
"acm:RequestCertificate",
"acm:DescribeCertificate",
"acm:ExportCertificate",
"acm:RenewCertificate",
"acm:RevokeCertificate",
"acm:ListCertificates"
],
"Resource": "*"
}
]
}
```
**Route 53 permissions** — scope to the hosted zone(s) used for DNS validation:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRoute53ForAcmValidation",
"Effect": "Allow",
"Action": [
"route53:GetHostedZone",
"route53:ChangeResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/YOUR_HOSTED_ZONE_ID"
}
]
}
```
ACM and Route 53 permissions can live on the same IAM principal, or be split across two separate connections in Infisical.
<Note>
**ACM Permissions:**
- **RequestCertificate**: Requests a new public certificate from ACM
- **DescribeCertificate**: Retrieves certificate status and DNS validation records
- **ExportCertificate**: Exports the issued certificate and private key to Infisical
- **RenewCertificate**: Triggers renewal of an existing certificate
- **RevokeCertificate**: Revokes a previously issued certificate
- **ListCertificates**: Used during connection validation
**Route 53 Permissions:**
- **GetHostedZone**: Validates the hosted zone during CA setup
- **ChangeResourceRecordSets**: Writes the ACM DNS validation CNAME records
</Note>
</Accordion>
</AccordionGroup>
</Tab>
</Tabs>
</Step>
<Step title="Copy the AWS IAM Role ARN">
</Step>
<Step title="Setup AWS Connection in Infisical">
<Tabs>
<Tab title="Infisical UI">
1. Navigate to the **Integrations** tab in the desired project, then select **App Connections**.
2. Select the **AWS Connection** option.
3. Select the **Assume Role** method option and provide the **AWS IAM Role ARN** obtained from the previous step and press **Connect to AWS**.
4. Your **AWS Connection** is now available for use.
</Tab>
<Tab title="API">
To create an AWS Connection, make an API request to the [Create AWS
Connection](/api-reference/endpoints/app-connections/aws/create) API endpoint.
### Sample request
```bash Request
curl --request POST \
--url https://app.infisical.com/api/v1/app-connections/aws \
--header 'Content-Type: application/json' \
--data '{
"name": "my-aws-connection",
"method": "assume-role",
"projectId": "7ffbb072-2575-495a-b5b0-127f88caef78",
"credentials": {
"roleArn": "...",
}
}'
```
### Sample response
```bash Response
{
"appConnection": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-aws-connection",
"projectId": "7ffbb072-2575-495a-b5b0-127f88caef78",
"version": 123,
"orgId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"app": "aws",
"method": "assume-role",
"credentials": {}
}
}
```
</Tab>
</Tabs>
</Step>
</Steps>
</Tab>
<Tab title="Access Key">
Infisical will use the provided **Access Key ID** and **Secret Key** to connect to your AWS instance.
<Steps>
<Step title="Add Required Permissions to the IAM User">
Navigate to your IAM user permissions and click **Create Inline Policy**.
Depending on your use case, add one or more of the following policies to your user:
<Tabs>
<Tab title="Secret Sync">
<AccordionGroup>
<Accordion title="AWS Secrets Manager">
Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Secrets Manager:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSecretsManagerAccess",
"Effect": "Allow",
"Action": [
"secretsmanager:ListSecrets",
"secretsmanager:GetSecretValue",
"secretsmanager:BatchGetSecretValue",
"secretsmanager:CreateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:TagResource",
"secretsmanager:UntagResource",
"kms:ListAliases", // if you need to specify the KMS key
"kms:Encrypt", // if you need to specify the KMS key
"kms:Decrypt", // if you need to specify the KMS key
"kms:DescribeKey" // if you need to specify the KMS key
],
"Resource": "*"
}
]
}
```
<Note>If using a custom KMS key, be sure to add the IAM user or role as a key user. </Note>
</Accordion>
<Accordion title="AWS Parameter Store">
Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Parameter Store:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSMAccess",
"Effect": "Allow",
"Action": [
"ssm:PutParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath",
"ssm:DescribeParameters",
"ssm:DeleteParameters",
"ssm:ListTagsForResource", // if you need to add tags to secrets
"ssm:AddTagsToResource", // if you need to add tags to secrets
"ssm:RemoveTagsFromResource", // if you need to add tags to secrets
"kms:ListAliases", // if you need to specify the KMS key
"kms:Encrypt", // if you need to specify the KMS key
"kms:Decrypt", // if you need to specify the KMS key
"kms:DescribeKey" // if you need to specify the KMS key
],
"Resource": "*"
}
]
}
```
<Note>If using a custom KMS key, be sure to add the IAM user or role as a key user. </Note>
</Accordion>
</AccordionGroup>
</Tab>
<Tab title="Secret Rotation">
<AccordionGroup>
<Accordion title="AWS IAM">
Use the following custom policy to grant the minimum permissions required by Infisical to rotate secrets to AWS Access Keys:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListAccessKeys",
"iam:CreateAccessKey",
"iam:UpdateAccessKey",
"iam:DeleteAccessKey",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
```
</Accordion>
</AccordionGroup>
</Tab>
<Tab title="PKI Sync">
<AccordionGroup>
<Accordion title="AWS Certificate Manager">
Use the following custom policy to grant the minimum permissions required by Infisical to sync certificates to AWS Certificate Manager:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCertificateManagerAccess",
"Effect": "Allow",
"Action": [
"acm:ListCertificates",
"acm:DescribeCertificate",
"acm:GetCertificate",
"acm:ImportCertificate",
"acm:ExportCertificate",
"acm:DeleteCertificate",
"acm:AddTagsToCertificate",
"acm:RemoveTagsFromCertificate",
"acm:ListTagsForCertificate"
],
"Resource": "*"
}
]
}
```
<Note>
- **ListCertificates**: Lists all certificates in the account
- **ImportCertificate**: Imports certificates from Infisical into AWS Certificate Manager
- **ExportCertificate**: Exports certificates for synchronization
- **DeleteCertificate**: Removes certificates that are no longer managed by Infisical
- **DescribeCertificate** and **GetCertificate**: Retrieves certificate details for comparison during sync
- Tag-related permissions: Manages certificate tags for identification and organization
</Note>
</Accordion>
<Accordion title="AWS Elastic Load Balancer">
Use the following custom policy to grant the minimum permissions required by Infisical to sync certificates to AWS Elastic Load Balancers:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCertificateManagerAccess",
"Effect": "Allow",
"Action": [
"acm:ListCertificates",
"acm:DescribeCertificate",
"acm:ImportCertificate",
"acm:DeleteCertificate",
"acm:ListTagsForCertificate"
],
"Resource": "*"
},
{
"Sid": "AllowElasticLoadBalancerAccess",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:ModifyListener"
],
"Resource": "*"
}
]
}
```
<Note>
**ACM Permissions:**
- **ListCertificates**: Lists all certificates in the account
- **ImportCertificate**: Imports certificates from Infisical into AWS Certificate Manager
- **DeleteCertificate**: Removes certificates that are no longer managed by Infisical
- **DescribeCertificate**: Retrieves certificate details for comparison during sync
- **ListTagsForCertificate**: Retrieves certificate tags for identification
**ELB Permissions:**
- **DescribeLoadBalancers**: Lists available load balancers for selection
- **DescribeListeners**: Lists HTTPS/TLS listeners on load balancers
- **DescribeListenerCertificates**: Lists certificates attached to listeners
- **AddListenerCertificates**: Attaches certificates to listeners
- **RemoveListenerCertificates**: Removes certificates from listeners
- **ModifyListener**: Sets the default certificate on listeners
</Note>
</Accordion>
</AccordionGroup>
</Tab>
<Tab title="External CA">
<AccordionGroup>
<Accordion title="AWS Private CA">
Use the following custom policy to grant the minimum permissions required by Infisical to issue certificates via AWS Private CA.
For a **single CA**, scope the `Resource` to that CA's ARN:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAwsPrivateCAAccess",
"Effect": "Allow",
"Action": [
"acm-pca:DescribeCertificateAuthority",
"acm-pca:GetCertificateAuthorityCertificate",
"acm-pca:IssueCertificate",
"acm-pca:GetCertificate",
"acm-pca:RevokeCertificate"
],
"Resource": "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/your-ca-id"
}
]
}
```
For **multiple CAs**, list each ARN in the `Resource` array:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAwsPrivateCAAccess",
"Effect": "Allow",
"Action": [
"acm-pca:DescribeCertificateAuthority",
"acm-pca:GetCertificateAuthorityCertificate",
"acm-pca:IssueCertificate",
"acm-pca:GetCertificate",
"acm-pca:RevokeCertificate"
],
"Resource": [
"arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/ca-id-1",
"arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/ca-id-2"
]
}
]
}
```
<Note>
- **DescribeCertificateAuthority**: Validates the CA status and configuration
- **GetCertificateAuthorityCertificate**: Retrieves the CA certificate and chain
- **IssueCertificate**: Issues certificates from the private CA
- **GetCertificate**: Retrieves issued certificates
- **RevokeCertificate**: Revokes previously issued certificates
Using a specific CA ARN in `Resource` is recommended over `"*"` to follow the principle of least privilege.
</Note>
</Accordion>
<Accordion title="AWS ACM Public CA">
Use the following custom policy to grant the minimum permissions required by Infisical to issue publicly-trusted certificates via AWS Certificate Manager and perform DNS validation through Route 53.
**ACM permissions** — `RequestCertificate` cannot be scoped below `"*"` because the certificate ARN does not exist until after the call succeeds:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAcmPublicCaAccess",
"Effect": "Allow",
"Action": [
"acm:RequestCertificate",
"acm:DescribeCertificate",
"acm:ExportCertificate",
"acm:RenewCertificate",
"acm:RevokeCertificate",
"acm:ListCertificates"
],
"Resource": "*"
}
]
}
```
**Route 53 permissions** — scope to the hosted zone(s) used for DNS validation:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRoute53ForAcmValidation",
"Effect": "Allow",
"Action": [
"route53:GetHostedZone",
"route53:ChangeResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/YOUR_HOSTED_ZONE_ID"
}
]
}
```
ACM and Route 53 permissions can live on the same IAM principal, or be split across two separate connections in Infisical.
<Note>
**ACM Permissions:**
- **RequestCertificate**: Requests a new public certificate from ACM
- **DescribeCertificate**: Retrieves certificate status and DNS validation records
- **ExportCertificate**: Exports the issued certificate and private key to Infisical
- **RenewCertificate**: Triggers renewal of an existing certificate
- **RevokeCertificate**: Revokes a previously issued certificate
- **ListCertificates**: Used during connection validation
**Route 53 Permissions:**
- **GetHostedZone**: Validates the hosted zone during CA setup
- **ChangeResourceRecordSets**: Writes the ACM DNS validation CNAME records
</Note>
</Accordion>
</AccordionGroup>
</Tab>
</Tabs>
</Step>
<Step title="Obtain Access Key ID and Secret Access Key">
Retrieve an AWS **Access Key ID** and a **Secret Key** for your IAM user in **IAM > Users > User > Security credentials > Access keys**.
</Step>
<Step title="Setup AWS Connection in Infisical">
<Tabs>
<Tab title="Infisical UI">
1. Navigate to the **Integrations** tab in the desired project, then select **App Connections**.
2. Select the **AWS Connection** option.
3. Select the **Access Key** method option and provide the **Access Key ID** and **Secret Key** obtained from the previous step and press **Connect to AWS**.
4. Your **AWS Connection** is now available for use.
</Tab>
<Tab title="API">
To create an AWS Connection, make an API request to the [Create AWS
Connection](/api-reference/endpoints/app-connections/aws/create) API endpoint.
### Sample request
```bash Request
curl --request POST \
--url https://app.infisical.com/api/v1/app-connections/aws \
--header 'Content-Type: application/json' \
--data '{
"name": "my-aws-connection",
"method": "access-key",
"projectId": "7ffbb072-2575-495a-b5b0-127f88caef78",
"credentials": {
"accessKeyId": "...",
"secretKey": "..."
}
}'
```
### Sample response
```bash Response
{
"appConnection": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-aws-connection",
"projectId": "7ffbb072-2575-495a-b5b0-127f88caef78",
"version": 123,
"orgId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"app": "aws",
"method": "access-key",
"credentials": {
"accessKeyId": "..."
}
}
}
```
</Tab>
</Tabs>
</Step>
</Steps>
</Tab>