# Amazon Web Services authentication > Use the following table to choose an authentication method based on your use case: ## Prerequisites Use the following table to choose an authentication method based on your use case: | Method | Best for | Limitations | | --- | --- | --- | | **Access Key** | Quick connections and testing with existing IAM credentials | Session token expires (15 minutes to 12 hours); connections must be renewed when the token expires | | **Access key assume role** | Robots running on AWS EC2 instances with an attached IAM role | Robot must be deployed on an EC2 instance; session token expires | | **UiPath Managed Cross-Account Assume Role** | Production unattended automations without long-term IAM credentials | Requires a UiPath support request | To create a connection, you need to provide the following credentials: * For **Access Key** authentication method: + Access key ID (the access key used to connect to Amazon Web Services) + Secret access key (the secret key used to connect to Amazon Web Services) + Temporary session token (used to create the AWS client session) + Region (specifies the AWS Region to connect to) * For **Access key assume role** authentication method: + Access key ID (the access key used to connect to Amazon Web Services) + Secret access key (the secret key used to connect to Amazon Web Services) + IAM role (specifies the name of the IAM role) + Temporary session token (used to create the AWS client session) + Region (specifies the AWS Region to connect to) * For **UiPath Managed Cross-Account Assume Role** authentication method: + IAM role ARN + External ID + Region (specifies the AWS Region to connect to) :::note The **Temporary session token** is issued by the [AWS Security Token Service (STS)](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) and has a limited lifetime (15 minutes to 12 hours by default). When the token expires, the connection fails and must be manually renewed. For automations that run longer than the session token lifetime, consider using the **UiPath Managed Cross-Account Assume Role** method instead, which does not require session tokens. ::: ## Creating an Access key assume role connection To create an **Access key assume role** connection, first follow these steps: :::note The IAM user whose credentials you provide must have the `sts:AssumeRole` permission for the target role in their own IAM policy. ::: 1. Navigate to **AWS console** \> **IAM** \> **Role**. 2. Select **Create Role**. 3. Select **Custom Trust Policy**. 4. Attach the custom trust policy, as shown in the following code section: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "" }, "Action": "sts:AssumeRole" } ] } ``` 5. Add the permissions needed to be assigned to the user. 6. Fill all the required details and then select **Create**. 7. The UiPath Robot running the automation must be deployed in an AWS EC2 instance to which the specified IAM Role is attached, as described [here](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-hosm.html). ## Creating a UiPath Managed Cross-Account Assume Role connection This type of connection uses temporary STS credentials instead of long-term IAM keys to securely access AWS resources (S3, EC2, DynamoDB, Bedrock). You only need to provide minimal inputs and complete a one-time AWS account setup, no IAM access keys or secrets required. :::warning If you want to use this authentication type, you must first raise a request with UiPath support. After the request is raised, UiPath will provide the IAM User ARN, which must be added to your IAM role trust relationship policy before creating the connection. When the required IAM role whitelisting and trust policy updates are completed on both sides, the connection can be created and leveraged immediately. ::: UiPath will create and manage a different IAM user per customer, guaranteeing that the AWS access will be isolated at the UiPath organisation level. ![docs image](https://dev-assets.cms.uipath.com/assets/images/integration-service/user-guide-docs-image-610682-e9820f6d.webp) :::note Role assumption will provide all attached permissions to your role in a tenant where this type of connection is established. ::: To create a connection: 1. Provide the ARN of the IAM Role that UiPath should assume. This Role ARN will be incorporated into an IAM user's permissions policy. The IAM user is created and managed by UiPath specifically and isolated for each customer. 2. Configure IAM role's trust policy. Update the IAM Role trust policy to allow assumption by UiPath’s IAM user. * UiPath will share the ARN of its IAM user created specifically for your customer account. * You must add the UiPath IAM user ARN into the Principal element of the role’s trust policy. * We require an External ID as an extra safety safeguard in third-party access scenarios and to help prevent the confused deputy problem. This can be any string of your choosing. To configure it, add a condition with `sts:ExternalId` as in the example below. The External Id is passed to UiPath during the actual Integration Service connection creation. Example policy format: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "" } } } ] } ``` 3. Configure IAM role’s permission policies. For example: * S3: List/Get/Put on specific buckets. * Bedrock: InvokeModel, InvokeModelWithResponseStream. :::warning The IAM role must be granted the minimum set of permissions required for your specific use case. For example, if the use case involves reading objects from an S3 bucket, the role should only have read-only access to that specific bucket. A sample policy for such a use case would look as follows: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::your-bucket-name", "arn:aws:s3:::your-bucket-name/*" ] } ] } ``` ::: 4. Add the Amazon Web Services connection in Integration Service. ## Add the connection To create a connection to your Amazon Web Services instance, you need to perform the following steps: 1. Select Orchestrator from the product launcher. 2. Select a folder, and then navigate to the **Connections** tab. 3. Select **Add connection**. 4. To open the connection creation page, select the connector from the list. You can use the search bar to find the connector. 5. From the **Authentication Type** field, select one of the three options: Access key, Access key assume role, or UiPath Managed Cross Account Assume Role. By default, Access key is selected. ![docs image](https://dev-assets.cms.uipath.com/assets/images/integration-service/user-guide-docs-image-606668-389c5e5e.webp) 6. Enter the required credentials for your preferred authentication method. If you intend to use HTTP Request activity, select the **AWS HTTP service name**, either **s3**, **ec2**, **workspaces**, or **bedrock-runtime**. For any secret-type field, you can select the menu next to the field and choose **Use credential asset** to reference an Orchestrator credential asset linked to an external vault instead of entering the value directly. For more information, see [Use credential assets for connections](credential-store-connections.md). 6. Enter the required credentials for your preferred authentication method. In the **AWS service name** field, select the AWS service you intend to connect to: **s3**, **ec2**, **workspaces**, or **bedrock-runtime**. :::note If you intend to use this connection with Amazon Bedrock (for example, to invoke AI models), you must select **bedrock-runtime**. Selecting a different service name will cause Bedrock requests to fail. ::: 7. Select **Connect**.