Obtaining connection values for Amazon EventBridge

About this task

This topic provides instructions to obtain the connection values for Amazon EventBridge and to connect to App Connect.

Procedure

To obtain the Secret access key and Access key ID values (BASIC) without using the Role-Based Access Control (RBAC) model (without using Role ARN), complete the following steps:
1. Log in to your AWS account.
  You can choose between Root user or IAM user depending on your role.
  - Root user: The account owner that performs tasks requiring unrestricted access.
  - IAM user: A user within an account that performs daily tasks.
  AWS recommends using identity-based managed policies to attach permission sets and roles to an identity and grant only the permissions the user needs. These policies control what actions that identity can perform, on which resources, and under what conditions. While setting the permissions for an identity in IAM, you can decide whether to use an AWS-managed policy, a customer-managed policy, or an inline policy.
  
  An AWS-managed policy is a stand-alone policy that is created and administered by AWS. The following are some examples of AWS-managed policies that are specific to Amazon EventBridge:
  - AmazonEventBridgeFullAccess policy provides full access to Amazon EventBridge service and all connector operations are accessible.
  - AmazonEventBridgeReadOnlyAccess policy gives limited read-only access, and few connector operations are accessible.
  For more information about AWS-managed policies that are specific to Amazon EventBridge, see the AWS managed policies list on the AWS documentation page.
2. On the navigation menu, click Users.
3. Select the IAM user for whom you want to generate credentials.
  If the user does not exist, click Create user, assign a username, and attach the appropriate policies.
4. Click the Security credentials tab, and then click Create access key.
5. Choose the appropriate use case.
6. Click Next, then Create access key.
7. To view the Secret access key value, click Show.
8. Copy the Access key (Access key ID) and Secret access key values and save them somewhere safe. You can retrieve the secret access key only when you create the key pair for the first time.
  For detailed information, see Manage access keys for IAM users on the AWS documentation page.
To obtain the Secret access key and Access key ID values (BASIC) by using the RBAC model (with Role ARN), complete the following steps:
1. Log in to your AWS Management Console for IAM account.
2. Click Roles on the sidebar.
3. Click the Create role button.
4. For Trusted entity type, select:
  - AWS service if the connector is in the same AWS account.
  - Another AWS account if the connector is in a different AWS account.
5. Under Add permissions, choose predefined policies or create a custom policy with required specific permissions.
6. Click the Next button.
7. In the Role name field, enter a name for the role.
8. Click the Create role button.
9. On the Roles page, select the role that you created.
10. Copy the ARN value (this is your Role ARN value) and save it somewhere safe.
11. Click Policies on the sidebar.
12. Click the Create policy button.
13. For Policy editor, select the JSON tab and enter the following policy:
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAssumeRole",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::<awsaccountnumber>:role/<rolename>"
    }
  ]
}
```
  - Replace <awsaccountnumber> with your AWS account number.
  - Replace <rolename> with the name of the role that you created in the previous step.
14. Click the Next button.
15. In the Policy name field, enter a name for the policy.
16. Click the Create policy button.
17. Click Users on the sidebar.
18. Click the Create user button.
19. In the User name field, enter a name for the user.
20. Click the Next button.
21. Under Permissions options, select Attach policies directly.
22. Select the policy that you created.
23. Click the Next button.
24. Click the Create user button, then select the user that you created.
25. Under Access keys, click Create access key.
26. Choose Application running outside AWS or another relevant use case.
27. Click the Next button.
28. Click the Create access key button.
29. To view the Secret access key value, click Show.
30. Copy the Access key (Access key ID) and Secret access key values and save them somewhere safe. You can retrieve the secret access key only when you create the key pair for the first time.
  For detailed information, see Manage access keys for IAM users on the AWS documentation page.
To obtain the Client ID and Client secret (BASIC OIDC and OIDC WEB), complete the following steps:
1. Log in to the Microsoft Azure portal, and then click App registrations.
2. In the App registrations page, click New registration.
3. In the Register an application page, specify a unique name for your app.
4. Select an option in the Supported account types section according to your requirements.
5. Click Register.
  The Overview page for the application is displayed.
6. Make a note of the Application (client) ID value because you need to specify it as a connection value when creating the account in App Connect.
7. Next to Client credentials on the Overview page, click Add a certificate or secret. This displays the Certificates & secrets page.
8. Click + New client secret.
9. In the Add a client secret panel, specify a description for the secret (for example, App Connect secret) and then select an expiry period.
10. Click Add.
  The generated client secret is displayed on the Certificates & secrets page.
11. Copy and store the client secret value because you need to specify it as a connection value when creating the account in App Connect.
  Note: The client secret value won't be shown again in full after you leave this page.
To find the Tenant ID, complete the following steps:
1. Go to the Microsoft Azure portal login page, and then go to Microsoft Entra ID > Properties.
2. Copy the Tenant ID value and save it somewhere safe.
  
  For more information about obtaining the Tenant ID, see How to find your Microsoft Entra tenant ID on the Microsoft Entra Docs page.
To obtain the Role ARN (BASIC OIDC and OIDC WEB), complete the following steps:
1. Log in to your AWS Management Console for IAM account.
2. Click Identity providers on the sidebar.
3. Click Add provider.
  The Add Identity provider page appears.
4. Select OpenID Connect as the Provider type.
5. In the Provider URL field, enter https://login.microsoftonline.com/<tenant ID>/v2.0
  Note: Replace <tenant ID> with your Microsoft Azure Tenant ID value. To obtain the Tenant ID, see step 4.
6. In the Audience field, enter the client ID value from Microsoft Azure.
7. Click Add provider.
8. On the new identity provider page, click the Assign role button.
9. Select Create a new role, and then click Next.
  The Select trusted entity page appears.
10. Select Web identity as the Trusted entity type.
11. In the Identity provider field, select the required provider URL from the drop-down menu.
12. In the Audience field, select the specific client ID from the drop-down menu.
13. Click the Next button.
  The Add permissions page appears.
14. Select the appropriate permissions policies to attach to your new role.
15. Click the Next button.
  The Name, review, and create page appears.
16. In the Role name field, enter a name for the role.
17. In the Description field, enter a description for the role.
18. Click the Create role button.
19. On the Roles page, select the role that you created.
20. Copy the ARN value (this is your Role ARN value) and save it somewhere safe.
To generate an ID token (BASIC OIDC), see Request an access token with a client_secret on the Microsoft Entra Docs page.
To generate a Refresh token (BASIC OIDC), see Refresh the access token on the Microsoft Entra Docs page.