# AWS

You will need to configure MechCloud IdP as an identity provider in AWS in order to make this integration work without AWS API credentials.

### Configure MechCloud IdP into AWS Account

#### Add an identity provider

* Log on to [AWS console](https://aws.amazon.com/console).
* Navigate to **IAM -> Identity providers** and click on **Add provider** button to add an OIDC identity provider with following details -

| Field            | Value                                                                      |
| ---------------- | -------------------------------------------------------------------------- |
| **Provider URL** | [https://id.mechcloud.io/](https://mechcloud-piston-preview.eu.auth0.com/) |
| **Audience**     | n6dMQlo8ZCE5QxLY4o2KjeBaSn8eefTX                                           |

<figure><img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1729325960259/76e48415-0545-4775-b5fe-9552a802a422.png" alt=""><figcaption></figcaption></figure>

#### Create an IAM role

Now assign an IAM role to the newly added **OIDC** provider by following below instructions -

* Go to **IAM -> Identity providers** and click on the provider created in the previous section.
* Click on A**ssign role** button.
* Select **Create a new role** radio button.
* Select following details on the next page and click on **Next** button -

<figure><img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1729326228581/21b6b322-6b81-49e2-9967-9ddafa0b2251.png" alt=""><figcaption></figcaption></figure>

* Select permissions policies (e.g. [AmazonEC2ReadOnlyAccess](https://us-east-1.console.aws.amazon.com/iam/home?region=ap-south-1#/policies/details/arn%3Aaws%3Aiam%3A%3Aaws%3Apolicy%2FAmazonEC2ReadOnlyAccess)) on the next page which you want to assign to this role and click on the **Next** button.
* Specify **MechCloudWebIdentityRole** (or any other name) under Role name on the next page and click on **Create role** button to create the role. Make sure you replace **MechCloudWebIdentityRole** in following steps if you decide to use a different name for this role.
* **(IMPORTANT)** Make sure that you specify a condition under the **Trust relationships** tab of **MechCloudWebIdentityRole** role as shown in the below image so that only users with specific email ids can assume this role. **In the absence of this condition, any user who is logged into MechCloud and knows your AWS account number and the role name will be able to assume this role on your AWS account which can result in unexpected charges if you have assigned permissions to provision AWS resources to this role.**

<figure><img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1729326763321/7ab79856-884f-4cdd-9f39-10f72811256f.png" alt=""><figcaption></figcaption></figure>

* **(IMPORTANT) Also, make sure to revoke existing sessions whenever you remove a user from the condition highlighted above. This will block the access for those users who were removed from the above condition but still have a valid session token.**

<figure><img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1719851250330/1a34e6aa-b179-4707-8bde-6fd69a571a9b.png" alt=""><figcaption></figcaption></figure>

### Add an AWS Account with newly created IAM Role

* Log on to [MechCloud](https://portal-preview.mechcloud.io) and navigate to **Infrastructure** -> **Cloud Accounts**.
* Select a team.
* Select AWS under **Select a cloud provider** dropdown. This will display all the cloud accounts added for the AWS cloud provider.
* Click on **New Cloud Account** button.
* Enter a name for your account.
* Enter AWS account number and IAM role details as shown below -

<figure><img src="https://3435649067-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FQGHt89wn8Cn0pcK36Wir%2Fuploads%2FPMhkcn3QiH2hQ1CAm6nu%2Fimage.png?alt=media&#x26;token=310252d5-e4b1-42c1-a1c5-c05ae51b944b" alt="" width="563"><figcaption></figcaption></figure>

* Click on **Save** button to add the cloud account.