search
Ctrlk
HomePlatformPricing
githubEdit

Amazon Web Services (AWS)

The AWS Cloud Provider lets DuploCloud AI agents interact with your AWS account — querying resources, running CLI commands, and managing infrastructure on your behalf. There are two ways to authenticate: using an IAM Role (recommended) or using an Access Key.

Use this CloudFormation Templatearrow-up-right to easily create the AWS and Kubernetes Credentials you can use to connect with DuploCloud. You can also Download the CloudFormation Templatearrow-up-right for review. For more information, refer to this public git repoarrow-up-right.

hashtag
Setting Up IAM Access with CloudFormation (Recommended)

Before adding credentials, you need an IAM role in your AWS account that HelpDesk can assume. The easiest way is the DuploCloud Access CloudFormation template — it takes 2–3 minutes and outputs Role ARNs you can use directly.

Launch CloudFormation Stackarrow-up-right | Download Templatearrow-up-right | GitHub Repoarrow-up-right

What it creates — four IAM roles, each independently enabled or disabled:

Role
Policy
Default

DuploCloud-AWS-Admin

AdministratorAccess

Off

DuploCloud-AWS-ReadOnly

ReadOnlyAccess

On

DuploCloud-EKS-Admin-<ClusterName>

AmazonEKSClusterAdminPolicy (via EKS Access Entry)

Off

DuploCloud-EKS-ReadOnly-<ClusterName>

AmazonEKSViewPolicy (via EKS Access Entry)

On

Parameters:

Parameter
Default
Description

EnableAWSAdmin

false

Creates DuploCloud-AWS-Admin with AdministratorAccess

EnableAWSReadOnly

true

Creates DuploCloud-AWS-ReadOnly with ReadOnlyAccess

EnableEKSAdmin

false

Creates DuploCloud-EKS-Admin-<ClusterName> with cluster admin access

EnableEKSReadOnly

true

Creates DuploCloud-EKS-ReadOnly-<ClusterName> with read-only cluster access

EKSClusterName

(empty)

Required if either EKS role is enabled — must match the exact cluster name

HelpdeskAccountId

(empty)

The AWS account ID where HelpDesk is deployed. Sets the IAM trust policy so HelpDesk can assume the created roles. Leave empty for same-account access only.

Once the stack shows CREATE_COMPLETE, copy the relevant Role ARN(s) from the Outputs tab and use them as IAM Role credentials in the steps below.

Revoking access: Delete the CloudFormation stack to remove all created roles and trust policies.

hashtag
Step 1 — Add the AWS Provider

Navigate to Providers in the left sidebar, select your tenant (e.g. IT), and click the Cloud tab. Click + Add in the top-right corner.

Cloud providers list

Fill in the Add Provider form:

  • Name — a name for this provider (e.g. AWS-test)

  • Type — select AWS

  • Account ID — your AWS account ID (12-digit number)

Click Create Provider.

Add Provider form

The provider appears in the list with a success notification.

Provider created successfully

hashtag
Method 1 — IAM Role

Using an IAM Role is the recommended approach. Instead of storing long-term credentials, DuploCloud assumes a role in your AWS account to perform actions.

Important: You must add the AWS account used by DuploCloud as a trusted entity in your IAM role's trust policy. Without this, the role assumption will fail and the agent will not be able to access your AWS resources.

hashtag
Step 2 — Add an IAM Role Credential

Click on your new provider to open it, then go to the Credentials tab. Click + Add.

In the Add Credential modal:

  • Name — a name for this credential (e.g. AWS-test-IAM)

  • Credential Type — select IAM Role

  • IAM Role ARN — the full ARN of the IAM role to assume (e.g. arn:aws:iam::774157348504:role/duplocloud-test-role)

Click Create.

Add IAM Role credential

The credential is created and you are returned to the Scope tab.

IAM Role credential created

hashtag
Step 3 — Add a Scope

With the credential in place, click + Add on the Scope tab to define what region and resources this scope covers.

  • Name — a name for this scope (e.g. AWS-test-IAM-role)

  • Credential — select the IAM Role credential you just created

  • Region — select the AWS region (e.g. US East (N. Virginia) | us-east-1)

  • Resource Types — select specific resource types or choose All Resources

  • Tags — optionally filter by resource tags

Click Create.

Add Scope for IAM Role

hashtag
Step 4 — Use the Scope in a Ticket

Go to HelpDesk and create a new ticket. In the scope selector, choose the IAM Role scope you created under your provider.

Selecting the IAM Role scope

Type your request and click Create Ticket.

Ticket with IAM Role scope selected

hashtag
Step 5 — Output

The agent uses the IAM Role to authenticate with AWS and execute the request. Results appear in the ticket thread.

Agent processing with IAM Role
S3 bucket list output — IAM Role method

hashtag
Method 2 — Access Key

You can also authenticate using an AWS Access Key ID and Secret Access Key. This creates long-term credentials stored in DuploCloud.

hashtag
Step 2 — Add an Access Key Credential

On the Credentials tab of your provider, click + Add.

In the Add Credential modal:

  • Name — a name for this credential (e.g. AWS-test-key)

  • Credential Type — select Access Key

  • Access Key ID — your AWS Access Key ID (e.g. AKIA3IP27V2ME5MWITWV)

  • Password — enter your Secret Access Key here

Note: The Password field in the Access Key credential form corresponds to your AWS Secret Access Key. For added safety, it is also recommended to add the Secret Access Key as an additional Credential Field (key: secretaccesskey, type: String, sensitive: on) so that it is explicitly available to the agent.

Click Create.

Add Access Key credential

hashtag
Step 3 — Add a Scope

On the Scope tab, click + Add. The existing IAM Role scope (if created) will already be listed.

Scope tab with existing IAM Role scope

Fill in the scope form for the Access Key credential:

  • Name — a name for this scope (e.g. AWS-test-key)

  • Credential — select the Access Key credential you just created

  • Region — select the AWS region

  • Resource Types — select specific resource types or All Resources

Click Create.

Add Scope for Access Key

hashtag
Step 4 — Use the Scope in a Ticket

Go to HelpDesk and create a new ticket. In the scope selector, choose the Access Key scope. Both the IAM Role and Access Key scopes for your provider will appear in the dropdown.

Selecting the Access Key scope

Type your request and click Create Ticket.

Ticket with Access Key scope selected

hashtag
Step 5 — Output

The agent authenticates using the Access Key and returns results in the ticket thread.

S3 bucket list output — Access Key method
PreviousIntegrating ProvidersNextMicrosoft Azure

Last updated

Was this helpful?