# Amazon Web Services (AWS)

The AWS Cloud Provider lets DuploCloud AI agents interact with your AWS account — querying resources, running CLI commands, and managing infrastructure on your behalf. There are two ways to authenticate: using an **IAM Role** (recommended) or using an **Access Key**.

> Use this [CloudFormation Template](https://us-west-2.console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks/create/review?templateURL=https://duploservices-ai-access-227120241369.s3.us-west-2.amazonaws.com/aws.yaml) to easily create the AWS and Kubernetes Credentials you can use to connect with DuploCloud. You can also [Download the CloudFormation Template](https://duploservices-ai-access-227120241369.s3.us-west-2.amazonaws.com/aws.yaml) for review. For more information, refer to [this public git repo](https://github.com/duplocloud/duplocloud-helpdesk-access).

***

## Setting Up IAM Access with CloudFormation (Recommended)

Before adding credentials, you need an IAM role in your AWS account that HelpDesk can assume. The easiest way is the **DuploCloud Access CloudFormation template** — it takes 2–3 minutes and outputs Role ARNs you can use directly.

> [Launch CloudFormation Stack](https://us-west-2.console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks/create/review?templateURL=https://duploservices-ai-access-227120241369.s3.us-west-2.amazonaws.com/aws.yaml) | [Download Template](https://duploservices-ai-access-227120241369.s3.us-west-2.amazonaws.com/aws.yaml) | [GitHub Repo](https://github.com/duplocloud/duplocloud-helpdesk-access)

**What it creates** — four IAM roles, each independently enabled or disabled:

| Role                                    | Policy                                               | Default |
| --------------------------------------- | ---------------------------------------------------- | ------- |
| `DuploCloud-AWS-Admin`                  | `AdministratorAccess`                                | Off     |
| `DuploCloud-AWS-ReadOnly`               | `ReadOnlyAccess`                                     | **On**  |
| `DuploCloud-EKS-Admin-<ClusterName>`    | `AmazonEKSClusterAdminPolicy` (via EKS Access Entry) | Off     |
| `DuploCloud-EKS-ReadOnly-<ClusterName>` | `AmazonEKSViewPolicy` (via EKS Access Entry)         | **On**  |

**Parameters:**

| Parameter           | Default   | Description                                                                                                                                                  |
| ------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `EnableAWSAdmin`    | `false`   | Creates `DuploCloud-AWS-Admin` with `AdministratorAccess`                                                                                                    |
| `EnableAWSReadOnly` | `true`    | Creates `DuploCloud-AWS-ReadOnly` with `ReadOnlyAccess`                                                                                                      |
| `EnableEKSAdmin`    | `false`   | Creates `DuploCloud-EKS-Admin-<ClusterName>` with cluster admin access                                                                                       |
| `EnableEKSReadOnly` | `true`    | Creates `DuploCloud-EKS-ReadOnly-<ClusterName>` with read-only cluster access                                                                                |
| `EKSClusterName`    | *(empty)* | Required if either EKS role is enabled — must match the exact cluster name                                                                                   |
| `HelpdeskAccountId` | *(empty)* | The AWS account ID where HelpDesk is deployed. Sets the IAM trust policy so HelpDesk can assume the created roles. Leave empty for same-account access only. |

Once the stack shows `CREATE_COMPLETE`, copy the relevant Role ARN(s) from the **Outputs** tab and use them as IAM Role credentials in the steps below.

> **Revoking access:** Delete the CloudFormation stack to remove all created roles and trust policies.

***

## Step 1 — Add the AWS Provider

Navigate to **Providers** in the left sidebar, select your tenant (e.g. **IT**), and click the **Cloud** tab. Click **+ Add** in the top-right corner.

![Cloud providers list](/files/6hA79qGA8REdlqHS3rmX)

Fill in the **Add Provider** form:

* **Name** — a name for this provider (e.g. `AWS-test`)
* **Type** — select `AWS`
* **Account ID** — your AWS account ID (12-digit number)

Click **Create Provider**.

![Add Provider form](/files/5WDfWPk1MrZBEFsiMnr8)

The provider appears in the list with a success notification.

![Provider created successfully](/files/1fVTtgfGbqBqKf6MJlaE)

***

## Method 1 — IAM Role

Using an IAM Role is the recommended approach. Instead of storing long-term credentials, DuploCloud assumes a role in your AWS account to perform actions.

> **Important:** You must add the AWS account used by DuploCloud as a **trusted entity** in your IAM role's trust policy. Without this, the role assumption will fail and the agent will not be able to access your AWS resources.

### Step 2 — Add an IAM Role Credential

Click on your new provider to open it, then go to the **Credentials** tab. Click **+ Add**.

In the **Add Credential** modal:

* **Name** — a name for this credential (e.g. `AWS-test-IAM`)
* **Credential Type** — select `IAM Role`
* **IAM Role ARN** — the full ARN of the IAM role to assume (e.g. `arn:aws:iam::774157348504:role/duplocloud-test-role`)

Click **Create**.

![Add IAM Role credential](/files/LPcv2VsF5C7PGOGi5hVg)

The credential is created and you are returned to the **Scope** tab.

![IAM Role credential created](/files/l9tF0yrBPSotORxoNWFV)

### Step 3 — Add a Scope

With the credential in place, click **+ Add** on the **Scope** tab to define what region and resources this scope covers.

* **Name** — a name for this scope (e.g. `AWS-test-IAM-role`)
* **Credential** — select the IAM Role credential you just created
* **Region** — select the AWS region (e.g. `US East (N. Virginia) | us-east-1`)
* **Resource Types** — select specific resource types or choose `All Resources`
* **Tags** — optionally filter by resource tags

Click **Create**.

![Add Scope for IAM Role](/files/dwdQalV29rWG1iJXpt7T)

### Step 4 — Use the Scope in a Ticket

Go to **HelpDesk** and create a new ticket. In the scope selector, choose the IAM Role scope you created under your provider.

![Selecting the IAM Role scope](/files/orUpbVLaCtisU34NfRST)

Type your request and click **Create Ticket**.

![Ticket with IAM Role scope selected](/files/VipVUxcn6wkid78kY27f)

### Step 5 — Output

The agent uses the IAM Role to authenticate with AWS and execute the request. Results appear in the ticket thread.

![Agent processing with IAM Role](/files/KVEvbON3Z7viWG6pPb8p)

![S3 bucket list output — IAM Role method](/files/N01oCQr4cKFdKaRxhEPj)

***

## Method 2 — Access Key

You can also authenticate using an AWS Access Key ID and Secret Access Key. This creates long-term credentials stored in DuploCloud.

### Step 2 — Add an Access Key Credential

On the **Credentials** tab of your provider, click **+ Add**.

In the **Add Credential** modal:

* **Name** — a name for this credential (e.g. `AWS-test-key`)
* **Credential Type** — select `Access Key`
* **Access Key ID** — your AWS Access Key ID (e.g. `AKIA3IP27V2ME5MWITWV`)
* **Password** — enter your **Secret Access Key** here

> **Note:** The **Password** field in the Access Key credential form corresponds to your AWS Secret Access Key. For added safety, it is also recommended to add the Secret Access Key as an additional **Credential Field** (key: `secretaccesskey`, type: `String`, sensitive: on) so that it is explicitly available to the agent.

Click **Create**.

![Add Access Key credential](/files/rHi7R8c7AEcBLHvhfOiY)

### Step 3 — Add a Scope

On the **Scope** tab, click **+ Add**. The existing IAM Role scope (if created) will already be listed.

![Scope tab with existing IAM Role scope](/files/ibBmSyiR5JS2DvXrYlyS)

Fill in the scope form for the Access Key credential:

* **Name** — a name for this scope (e.g. `AWS-test-key`)
* **Credential** — select the Access Key credential you just created
* **Region** — select the AWS region
* **Resource Types** — select specific resource types or `All Resources`

Click **Create**.

![Add Scope for Access Key](/files/hPKjg8PVWF0Ycb3iViQU)

### Step 4 — Use the Scope in a Ticket

Go to **HelpDesk** and create a new ticket. In the scope selector, choose the Access Key scope. Both the IAM Role and Access Key scopes for your provider will appear in the dropdown.

![Selecting the Access Key scope](/files/ly4ECAWb3Ztonx7Fxuwc)

Type your request and click **Create Ticket**.

![Ticket with Access Key scope selected](/files/zKUJzes6cskeIsU86SNh)

### Step 5 — Output

The agent authenticates using the Access Key and returns results in the ticket thread.

![S3 bucket list output — Access Key method](/files/G1IBUCMpHCGlfTBMHfXC)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.duplocloud.com/docs/getting-started/integrating-providers/amazon-web-services-aws.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.