Obtaining connection values for AWS Lambda

About this task

This topic provides instructions to obtain the connection values for AWS Lambda and to connect to App Connect.

Procedure

  1. To obtain Secret access key and Access key ID (BASIC), complete the following steps:
    1. Log in to your AWS account. You can choose between Root user or IAM user based on your role.
      • Root user: Account owner that performs tasks requiring unrestricted access.
      • IAM user: User within an account that performs daily tasks.
      AWS recommends using identity-based managed policies to attach permission sets and roles to an identity, and grant only the permissions the user needs. These policies control what actions that identity can perform, on which resources, and under what conditions. While setting the permissions for an identity in IAM, you can decide whether to use an AWS-managed policy, a customer-managed policy, or an inline policy.

      An AWS-managed policy is a standalone policy that is created and administered by AWS. The following are some examples of AWS-managed policies that are specific to AWS Lambda:

      • AWSLambda_FullAccess grants full access to AWS Lambda actions and other AWS services used to develop and maintain AWS Lambda resources.
      • AWSLambda_ReadOnlyAccess grants read-only access to AWS Lambda resources.
      • AWSLambdaRole grants permissions to invoke AWS Lambda functions.
      • AmazonSNSReadOnlyAccess policy gives limited read-only access and few connector operations are accessible.

      For information about AWS-managed policies that are specific to AWS Lambda, see Identity-based IAM policies for Lambda on the AWS documentation page.

    2. On the navigation menu, click Users.
    3. Select your applicable user name or account name.
    4. Click the Security credentials tab, and then click Create access key.
    5. To view the new access key, click Show.

      You can retrieve the secret access key only when you create the key pair for the first time. For more information, see AWS Account and Access Keys on the AWS documentation page.

  2. To obtain the Client ID and Client secret (BASIC OIDC), complete the following steps:
    1. Log in to the Microsoft Azure portal, and then click App registrations.
    2. In the App registrations page, click New registration.
    3. In the Register an application page, specify a unique name for your app.
    4. Select an option in the Supported account types section according to your requirements.
      registering an application
    5. Click Register.

      The Overview page for the application is displayed.

      Overview page for the registered application
    6. Make a note of the Application (client) ID value because you need to specify it as a connection value when creating the account in App Connect.
    7. Next to Client credentials on the Overview page, click Add a certificate or secret. This displays the Certificates & secrets page.
      Certificates & secrets page for the registered application
    8. Click + New client secret.
    9. In the Add a client secret panel, specify a description for the secret (for example, App Connect secret) and then select an expiry period.
    10. Click Add.

      The generated client secret is displayed on the Certificates & secrets page.

      Generated client secret for the registered app
    11. Copy and store the client secret value because you need to specify it as a connection value when creating the account in App Connect.
      Note: The client secret value won't be shown again in full after you leave this page.
  3. To find the Tenant ID, complete the following steps:
    1. Go to the Microsoft Azure portal login page, and then go to Microsoft Entra ID > Properties.
    2. Copy the Tenant ID value and save it somewhere safe.
      Locating the Tenant ID in Microsoft Entra ID

      For more information about obtaining the Tenant ID, see How to find your Microsoft Entra tenant ID on the Microsoft Entra Docs page.

  4. To obtain the Role ARN (BASIC OIDC), complete the following steps:
    1. Log in to your AWS Management Console for IAM account.
    2. Click Identity providers on the sidebar.
      Identity providers page
    3. Click Add provider.

      The Add Identity provider page appears.

      Add Identity provider page
    4. Select OpenID Connect as the Provider type.
    5. In the Provider URL field, enter https://login.microsoftonline.com/<tenant ID>/v2.0
      Note: Replace <tenant ID> with your Microsoft Azure Tenant ID value. To obtain the Tenant ID, see step 3.
    6. In the Audience field, enter the client ID value from Microsoft Azure.
    7. Click Add provider.
    8. On the new identity provider page, click the Assign role button.
      Provider page
    9. Select Create a new role, and then click Next.

      The Select trusted entity page appears.

      Select trusted entity page
    10. Select Web identity as the Trusted entity type.
    11. In the Identity provider field, select the required provider URL from the drop-down menu.
    12. In the Audience field, select the specific client ID from the drop-down menu.
    13. Click the Next button.

      The Add permissions page appears.

      Add permissions page
    14. Select the appropriate permissions policies to attach to your new role.
    15. Click the Next button.

      The Name, review, and create page appears.

      Name, review, and create page
    16. In the Role name field, enter a name for the role.
    17. In the Description field, enter a description for the role.
    18. Click the Create role button.
    19. On the Roles page, select the role that you created.
      Role ARN
    20. Copy the ARN value (this is your Role ARN value) and save it somewhere safe.
  5. To generate an ID token (BASIC OIDC), see Request an access token with a client_secret on the Microsoft Entra Docs page.
  6. To generate a Refresh token (BASIC OIDC), see Refresh the access token on the Microsoft Entra Docs page.