# Connect App Studio to other services with connectors
A **connector** is a connection between App Studio and other AWS services, such as AWS Lambda and Amazon Redshift, or third-party services. Once a connector is created and configured, builders can use it and the resources it connects to App Studio in their applications.
Only users with the Admin role can create, manage, or delete connectors.
**Topics**
+ [
# Connect to AWS services
](add-connector-services.md)
+ [
# Connect to third-party services
](add-connector-third-party.md)
+ [
# Viewing, editing, and deleting connectors
](viewing-deleting-connectors.md)
# Connect to AWS services
**Topics**
+ [
# Connect to Amazon Redshift
](connectors-redshift.md)
+ [
# Connect to Amazon DynamoDB
](connectors-dynamodb.md)
+ [
# Connect to AWS Lambda
](connectors-lambda.md)
+ [
# Connect to Amazon Simple Storage Service (Amazon S3)
](connectors-s3.md)
+ [
# Connect to Amazon Aurora
](connectors-aurora.md)
+ [
# Connect to Amazon Bedrock
](connectors-bedrock.md)
+ [
# Connect to Amazon Simple Email Service
](connectors-ses.md)
+ [
# Connect to AWS services using the Other AWS services connector
](connectors-aws.md)
+ [
# Use encrypted data sources with CMKs
](encrypted-data-cmk.md)
# Connect to Amazon Redshift
To connect App Studio with Amazon Redshift to enable builders to access and use Amazon Redshift resources in applications, you must perform the following steps:
1. [Step 1: Create and configure Amazon Redshift resources](#connectors-redshift-create-resources)
1. [Step 2: Create an IAM policy and role with appropriate Amazon Redshift permissions](#connectors-redshift-iam)
1. [Step 3: Create Amazon Redshift connector](#connectors-redshift-create-connector)
## Step 1: Create and configure Amazon Redshift resources
Use the following procedure to create and configure Amazon Redshift resources to be used with App Studio.
**To set up Amazon Redshift for use with App Studio**
1. Sign in to the AWS Management Console and open the Amazon Redshift console at [https://console.aws.amazon.com/redshiftv2/](https://console.aws.amazon.com/redshiftv2/).
We recommend using the administrative user created in [Create an administrative user for managing AWS resources](setting-up-first-time-admin.md#setting-up-create-admin-user).
1. Create a Redshift Serverless data warehouse or a provisiond cluster. For more information, see [Creating a data warehouse with Redshift Serverless](https://docs.aws.amazon.com/redshift/latest/gsg/new-user-serverless.html#serverless-console-resource-creation) or [Creating a cluster](https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#create-cluster) in the *Amazon Redshift User Guide*.
1. Once provisioning is complete, choose **Query Data** to open the query editor. Connect to your database.
1. Change the following settings:
1. Set **Isolated session** toggle to `OFF`. This is needed so that you can see data changes made by other users, such as from a running App Studio application.
1. Choose the “gear” icon. Choose **Account settings**. Increase **Maximum concurrent connections** to `10`. This is the limit on the number of query editor sessions that can connect to a Amazon Redshift database. It does not apply to other clients such as App Studio applications.
1. Create your data tables under the `public` schema. `INSERT` any initial data into these tables.
1. Run the following commands in query editor:
The following command creates a database user and connects it with an IAM role named *AppBuilderDataAccessRole* that is used by App Studio. You will create the IAM role in a later step, and the name here must match the name given to that role.
```
CREATE USER "IAMR:AppBuilderDataAccessRole" WITH PASSWORD DISABLE;
```
The following command grants all permissions on all tables to App Studio.
**Note**
For best security practices, you should scope down the permissions here to the minimal required permissions on the appropriate tables. For more information about the `GRANT` command, see [GRANT](https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html) in the Amazon Redshift Database Developer Guide.
```
GRANT ALL ON ALL TABLES IN SCHEMA public to "IAMR:AppBuilderDataAccessRole";
```
## Step 2: Create an IAM policy and role with appropriate Amazon Redshift permissions
To use Amazon Redshift resources with App Studio, administrators must create an IAM policy and role to give App Studio permissions to access the resources. The IAM policy controls the scope of data that builders can use and what operations can be called against that data, such as Create, Read, Update, or Delete. The IAM policy is then attached to an IAM role that is used by App Studio.
We recommend creating at least one IAM role per service and policy. For example, if builders are creating two applications backed by different tables in Amazon Redshift, an administrator should create two IAM policies and roles, one for each of the tables in Amazon Redshift.
### Step 2a: Create an IAM policy with appropriate Amazon Redshift permissions
The IAM policy that you create and use with App Studio should contain only the minimally necessary permissions on the appropriate resources for the application to follow best security practices.
**To create an IAM policy with appropriate Amazon Redshift permissions**
1. Sign in to the [IAM console](https://console.aws.amazon.com/iam) with a user that has permissions to create IAM policies. We recommend using the administrative user created in [Create an administrative user for managing AWS resources](setting-up-first-time-admin.md#setting-up-create-admin-user).
1. In the left-side navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. In the **Policy editor** section, choose the **JSON** option.
1. Type or paste in a JSON policy document. The following tabs contain example policies for both provisioned and serverless Amazon Redshift.
**Note**
The following policies apply to all Amazon Redshift resources using the wildcard (`*`). For best security practices, you should replace the wildcard with the Amazon Resource Name (ARN) of the resources you want to use with App Studio.
------
#### [ Provisioned ]
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ProvisionedRedshiftForAppStudio",
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters",
"redshift:GetClusterCredentialsWithIAM",
"redshift-data:ListDatabases",
"redshift-data:ListTables",
"redshift-data:DescribeTable",
"redshift-data:DescribeStatement",
"redshift-data:ExecuteStatement",
"redshift-data:GetStatementResult"
],
"Resource": "*"
}
]
}
```
------
------
#### [ Serverless ]
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ServerlessRedshiftForAppStudio",
"Effect": "Allow",
"Action": [
"redshift-serverless:ListNamespaces",
"redshift-serverless:GetCredentials",
"redshift-serverless:ListWorkgroups",
"redshift-data:ListDatabases",
"redshift-data:ListTables",
"redshift-data:DescribeTable",
"redshift-data:DescribeStatement",
"redshift-data:ExecuteStatement",
"redshift-data:GetStatementResult"
],
"Resource": "*"
}
]
}
```
------
------
1. Choose **Next**.
1. On the **Review and create** page, provide a **Policy name**, such as **RedshiftServerlessForAppStudio** or **RedshiftProvisionedForAppStudio**, and **Description** (optional).
1. Choose **Create policy** to create the policy.
### Step 2b: Create an IAM role to give App Studio access to Amazon Redshift resources
Now, create an IAM role that uses the policy you previously created. App Studio will use this policy to get access to the configured Amazon Redshift resources.
**To create an IAM role to give App Studio access to Amazon Redshift resources**
1. Sign in to the [IAM console](https://console.aws.amazon.com/iam) with a user that has permissions to create IAM roles. We recommend using the administrative user created in [Create an administrative user for managing AWS resources](setting-up-first-time-admin.md#setting-up-create-admin-user).
1. In the left-side navigation pane, choose **Roles**
1. Choose **Create role**.
1. In **Trusted entity type**, choose **Custom trust policy**.
1. Replace the default policy with the following policy to allow App Studio applications to assume this role in your account.
You must replace the following placeholders in the policy. The values to be used can be found in App Studio, in the **Account settings** page.
+ Replace *111122223333* with the AWS account number of the account used to set up the App Studio instance, listed as **AWS account ID** in the account settings in your App Studio instance.
+ Replace *11111111-2222-3333-4444-555555555555* with your App Studio instance ID, listed as **Instance ID** in the account settings in your App Studio instance.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/IsAppStudioAccessRole": "true",
"sts:ExternalId": "11111111-2222-3333-4444-555555555555"
}
}
}
]
}
```
------
Choose **Next**.
1. In **Add permissions**, search for and select the policy that you created in the previous step (**RedshiftServerlessForAppStudio** or **RedshiftProvisionedForAppStudio**). Choosing the **\$1** next to a policy will expand the policy to show the permissions granted by it and choosing the checkbox selects the policy.
Choose **Next**.
1. On the **Name, review, and create** page, provide a **Role name** and **Description**.
**Important**
The role name here must match the role name used in the `GRANT` command in [Step 1: Create and configure Amazon Redshift resources](#connectors-redshift-create-resources) (*AppBuilderDataAccessRole*).
1. In **Step 3: Add tags**, choose **Add new tag** to add the following tag to provide App Studio access:
+ **Key: **`IsAppStudioDataAccessRole`
+ **Value: **`true`
1. Choose **Create role** and make note of the generated Amazon Resource Name (ARN), you will need it when [creating the Amazon Redshift connector in App Studio](#connectors-redshift-create-connector).
## Step 3: Create Amazon Redshift connector
Now that you have your Amazon Redshift resources and IAM policy and role configured, use that information to create the connector in App Studio that builders can use to connect their apps to Amazon Redshift.
**Note**
You must have the Admin role in App Studio to create connectors.
**To create a connector for Amazon Redshift**
1. Navigate to App Studio.
1. In the left-side navigation pane, choose **Connectors** in the **Manage** section. You will be taken to a page displaying a list of existing connectors with some details about each.
1. Choose **\$1 Create connector**.
1. Choose the **Amazon Redshift** connector.
1. Configure your connector by filling out the following fields:
+ **Name:** Provide a name for your connector.
+ **Description:** Provide a description for your connector.
+ **IAM Role:** Enter the Amazon Resource Name (ARN) from the IAM role created in [Step 2b: Create an IAM role to give App Studio access to Amazon Redshift resources](#connectors-redshift-iam-role). For more information about IAM, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html).
+ **Region:** Choose the AWS Region where your Amazon Redshift resources are located.
+ **Compute type:** Choose if you are using Amazon Redshift Serverless or a provisioned cluster.
+ **Cluster or Workgroup selection:** If **Provisioned** is chosen, choose the cluster you want to connect to App Studio. If **Serverless** is chosen, choose the workgroup.
+ **Database selection:** Choose the database you want to connect to App Studio.
+ **Available tables:** Select the tables you want to connect to App Studio.
1. Choose **Next**. Review the connection information and choose **Create**.
1. The newly created connector will appear in the **connectors** list.
# Connect to Amazon DynamoDB
To connect App Studio with DynamoDB to enable builders to access and use DynamoDB resources in applications, you must perform the following steps:
1. [Step 1: Create and configure DynamoDB resources](#connectors-dynamodb-create-resources)
1. [Step 2: Create an IAM policy and role with appropriate DynamoDB permissions](#connectors-dynamodb-iam)
1. [Create DynamoDB connector](#connectors-dynamodb-create-connector)
## Step 1: Create and configure DynamoDB resources
Use the following procedure to create and configure DynamoDB resources to be used with App Studio.
**To set up DynamoDB for use with App Studio**
1. Sign in to the AWS Management Console and open the DynamoDB console at [https://console.aws.amazon.com/dynamodb/](https://console.aws.amazon.com/dynamodb/).
We recommend using the administrative user created in [Create an administrative user for managing AWS resources](setting-up-first-time-admin.md#setting-up-create-admin-user).
1. In the left navigation pane, choose **Tables**.
1. Choose **Create table**.
1. Enter a name and keys for your table.
1. Choose **Create table**.
1. After your table is created, add some items to it so they will appear once the table is connected to App Studio.
1. Choose your table, choose **Actions**, and choose **Explore items**.
1. In **Items returned**, choose **Create item**.
1. (Optional): Choose **Add new attribute** to add more attributes to your table.
1. Enter values for each attribute and choose **Create item**.
## Step 2: Create an IAM policy and role with appropriate DynamoDB permissions
To use DynamoDB resources with App Studio, administrators must create an IAM policy and role to give App Studio permissions to access the resources. The IAM policy controls the scope of data that builders can use and what operations can be called against that data, such as Create, Read, Update, or Delete. The IAM policy is then attached to an IAM role that is used by App Studio.
We recommend creating at least one IAM role per service and policy. For example, if builders are creating two applications backed by the same tables in DynamoDB, one that only requires read access, and one that requires read, create, update and delete; an administrator should create two IAM roles, one using read only permissions, and one with full CRUD permissions to the applicable tables in DynamoDB.
### Step 2a: Create an IAM policy with appropriate DynamoDB permissions
The IAM policy that you create and use with App Studio should contain only the minimally necessary permissions on the appropriate resources for the application to follow best security practices.
**To create an IAM policy with appropriate DynamoDB permissions**
1. Sign in to the [IAM console](https://console.aws.amazon.com/iam) with a user that has permissions to create IAM policies. We recommend using the administrative user created in [Create an administrative user for managing AWS resources](setting-up-first-time-admin.md#setting-up-create-admin-user).
1. In the left-side navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. In the **Policy editor** section, choose the **JSON** option.
1. Type or paste in a JSON policy document. The following tabs contain example policies for read only and full access to DynamoDB tables, along with examples of policies that include AWS KMS permissions for DynamoDB tables encrypted with an AWS KMS customer-managed key (CMK).
**Note**
The following policies apply to all DynamoDB resources using the wildcard (`*`). For best security practices, you should replace the wildcard with the Amazon Resource Name (ARN) of the resources you want to use with App Studio.
------
#### [ Read only ]
The following policy grants read access to the configured DynamoDB resources.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ReadOnlyDDBForAppStudio",
"Effect": "Allow",
"Action": [
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:PartiQLSelect"
],
"Resource": "*"
}
]
}
```
------
------
#### [ Full access ]
The following policy grants create, read, update, and delete access to the configured DynamoDB resources.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "FullAccessDDBForAppStudio",
"Effect": "Allow",
"Action": [
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:PartiQLSelect",
"dynamodb:PartiQLInsert",
"dynamodb:PartiQLUpdate",
"dynamodb:PartiQLDelete"
],
"Resource": "*"
}
]
}
```
------
------
#### [ Read only - KMS encrypted ]
The following policy grants read access to the configured encrypted DynamoDB resources by providing AWS KMS permissions. You must replace the ARN with the ARN of the AWS KMS key.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ReadOnlyDDBForAppStudio",
"Effect": "Allow",
"Action": [
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:PartiQLSelect"
],
"Resource": "*"
},
{
"Sid": "KMSPermissionsForEncryptedTable",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
]
}
```
------
------
#### [ Full access - KMS encrypted ]
The following policy grants read access to the configured encrypted DynamoDB resources by providing AWS KMS permissions. You must replace the ARN with the ARN of the AWS KMS key.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ReadOnlyDDBForAppStudio",
"Effect": "Allow",
"Action": [
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:PartiQLSelect",
"dynamodb:PartiQLInsert",
"dynamodb:PartiQLUpdate",
"dynamodb:PartiQLDelete"
],
"Resource": "*"
},
{
"Sid": "KMSPermissionsForEncryptedTable",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
]
}
```
------
------
1. Choose **Next**.
1. On the **Review and create** page, provide a **Policy name**, such as **ReadOnlyDDBForAppStudio** or **FullAccessDDBForAppStudio**, and **Description** (optional).
1. Choose **Create policy** to create the policy.
### Step 2b: Create an IAM role to give App Studio access to DynamoDB resources
Now, create an IAM role that uses the policy you previously created. App Studio will use this policy to get access to the configured DynamoDB resources.
**To create an IAM role to give App Studio access to DynamoDB resources**
1. Sign in to the [IAM console](https://console.aws.amazon.com/iam) with a user that has permissions to create IAM roles. We recommend using the administrative user created in [Create an administrative user for managing AWS resources](setting-up-first-time-admin.md#setting-up-create-admin-user).
1. In the navigation pane of the console, choose **Roles** and then choose **Create role**.
1. In **Trusted entity type**, choose **Custom trust policy**.
1. Replace the default policy with the following policy to allow App Studio applications to assume this role in your account.
You must replace the following placeholders in the policy. The values to be used can be found in App Studio, in the **Account settings** page.
+ Replace *111122223333* with the AWS account number of the account used to set up the App Studio instance, listed as **AWS account ID** in the account settings in your App Studio instance.
+ Replace *11111111-2222-3333-4444-555555555555* with your App Studio instance ID, listed as **Instance ID** in the account settings in your App Studio instance.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/IsAppStudioAccessRole": "true",
"sts:ExternalId": "11111111-2222-3333-4444-555555555555"
}
}
}
]
}
```
------
Choose **Next**.
1. In **Add permissions**, search for and select the policy that you created in the previous step (**ReadOnlyDDBForAppStudio** or **FullAccessDDBForAppStudio**). Choosing the **\$1** next to a policy will expand the policy to show the permissions granted by it and choosing the checkbox selects the policy.
Choose **Next**.
1. On the **Name, review, and create** page, provide a **Role name** and **Description**.
1. In **Step 3: Add tags**, choose **Add new tag** to add the following tag to provide App Studio access:
+ **Key: **`IsAppStudioDataAccessRole`
+ **Value: **`true`
1. Choose **Create role** and make note of the generated Amazon Resource Name (ARN), you will need it when [creating the DynamoDB connector in App Studio](#connectors-dynamodb-create-connector).
## Create DynamoDB connector
Now that you have your DynamoDB resources and IAM policy and role configured, use that information to create the connector in App Studio that builders can use to connect their apps to DynamoDB.
**Note**
You must have the Admin role in App Studio to create connectors.
**To create a connector for DynamoDB**
1. Navigate to App Studio.
1. In the left-side navigation pane, choose **Connectors** in the **Manage** section. You will be taken to a page displaying a list of existing connectors with some details about each.
1. Choose **\$1 Create connector**.
1. Choose **Amazon DynamoDB** from the list of connector types.
1. Configure your connector by filling out the following fields:
+ **Name:** Enter a name for your DynamoDB connector.
+ **Description:** Enter a description for your DynamoDB connector.
+ **IAM role:** Enter the Amazon Resource Name (ARN) from the IAM role created in [Step 2b: Create an IAM role to give App Studio access to DynamoDB resources](#connectors-dynamodb-iam-role). For more information about IAM, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html).
+ **Region:** Choose the AWS Region where your DynamoDB resources are located.
+ **Available tables:** Select the tables you want to connect to App Studio.
1. Choose **Next**. Review the connection information and choose **Create**.
1. The newly created connector will appear in the **Connectors** list.
# Connect to AWS Lambda
To connect App Studio with Lambda to enable builders to access and use Lambda resources in applications, you must perform the following steps:
1. [Step 1: Create and configure Lambda functions](#connectors-lambda-create-resources)
1. [Step 2: Create an IAM role to give App Studio access to Lambda resources](#connectors-lambda-iam-role)
1. [Step 3: Create Lambda connector](#connectors-lambda-create-connector)
## Step 1: Create and configure Lambda functions
If you don't have existing Lambda functions, you must first create them. To learn more about creating Lambda functions, see the [AWS Lambda Developer Guide](https://docs.aws.amazon.com/lambda/latest/dg/).
## Step 2: Create an IAM role to give App Studio access to Lambda resources
To use Lambda resources with App Studio, administrators must create an IAM role to give App Studio permissions to access the resources. The IAM role controls the resources or operations applications can access from Lambda.
We recommend creating at least one IAM role per service and policy.
**To create an IAM role to give App Studio access to Lambda resources**
1. Sign in to the [IAM console](https://console.aws.amazon.com/iam) with a user that has permissions to create IAM roles. We recommend using the administrative user created in [Create an administrative user for managing AWS resources](setting-up-first-time-admin.md#setting-up-create-admin-user).
1. In the navigation pane of the console, choose **Roles** and then choose **Create role**.
1. In **Trusted entity type**, choose **Custom trust policy**.
1. Replace the default policy with the following policy to allow App Studio applications to assume this role in your account.
You must replace the following placeholders in the policy. The values to be used can be found in App Studio, in the **Account settings** page.
+ Replace *111122223333* with the AWS account number of the account used to set up the App Studio instance, listed as **AWS account ID** in the account settings in your App Studio instance.
+ Replace *11111111-2222-3333-4444-555555555555* with your App Studio instance ID, listed as **Instance ID** in the account settings in your App Studio instance.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/IsAppStudioAccessRole": "true",
"sts:ExternalId": "11111111-2222-3333-4444-555555555555"
}
}
}
]
}
```
------
Choose **Next**.
1. In **Add permissions**, search for and select the policies that grant the appropriate permissions for the role. Choosing the **\$1** next to a policy will expand the policy to show the permissions granted by it and choosing the checkbox selects the policy. For Lambda, you may consider adding the `AWSLambdaRole` policy, which grants permissions to invoke Lambda functions.
For more information about using IAM policies with Lambda, including a list of managed policies and their descriptions, see [Identity and Access Management for AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/security-iam.html) in the *AWS Lambda Developer Guide*.
Choose **Next**.
1. On the **Name, review, and create** page, provide a **Role name** and **Description**.
1. In **Step 3: Add tags**, choose **Add new tag** to add the following tag to provide App Studio access:
+ **Key: **`IsAppStudioDataAccessRole`
+ **Value: **`true`
1. Choose **Create role** and make note of the generated Amazon Resource Name (ARN), you will need it when [creating the Lambda connector in App Studio](#connectors-lambda-create-connector).
## Step 3: Create Lambda connector
Now that you have your Lambda resources and IAM policy and role configured, use that information to create the connector in App Studio that builders can use to connect their apps to Lambda.
**Note**
You must have the Admin role in App Studio to create connectors.
**To create a connector for Lambda**
1. Navigate to App Studio.
1. In the left-side navigation pane, choose **Connectors** in the **Manage** section. You will be taken to a page displaying a list of existing connectors with some details about each.
1. Choose **\$1 Create connector**.
1. Choose **Other AWS Services** from the list of connector types.
1. Configure your connector by filling out the following fields:
+ **Name:** Enter a name for your Lambda connector.
+ **Description:** Enter a description for your Lambda connector.
+ **IAM role:** Enter the Amazon Resource Name (ARN) from the IAM role created in [Step 2: Create an IAM role to give App Studio access to Lambda resources](#connectors-lambda-iam-role). For more information about IAM, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html).
+ **Service:** Choose **Lambda**.
+ **Region:** Choose the AWS Region where your Lambda resources are located.
1. Choose **Create**.
1. The newly created connector will appear in the **Connectors** list.
# Connect to Amazon Simple Storage Service (Amazon S3)
To connect App Studio with Amazon S3 to enable builders to access and use Amazon S3 resources in applications, perform the following steps:
1. [Step 1: Create and configure Amazon S3 resources](#connectors-s3-create-resources)
1. [Step 2: Create an IAM policy and role with appropriate Amazon S3 permissions](#connectors-s3-iam)
1. [Step 3: Create Amazon S3 connector](#connectors-s3-create-connector)
After you have completed the steps and created the connector with proper permissions, builders can use the connector to create apps that interact with Amazon S3 resources. For more information about interacting with Amazon S3 in App Studio apps, see [Interacting with Amazon Simple Storage Service with components and automations](automations-s3.md).
## Step 1: Create and configure Amazon S3 resources
Depending on your app's needs and your existing resources, you may need to create an Amazon S3 bucket for apps to write to and read from. For information about creating Amazon S3 resources, including buckets, see [Getting started with Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/GetStartedWithS3.html) in the *Amazon Simple Storage Service User Guide*.
To use the [S3 upload](components-reference.md#s3-upload-component) component in your apps, you must add a cross-origin resource sharing (CORS) configuration to any Amazon S3 buckets you want to upload to. The CORS configuration gives App Studio permission to push objects to the bucket. The following procedure details how to add a CORS configuration to an Amazon S3 bucket using the console. For more information about CORS and configuring it, see [Using cross-origin resource sharing (CORS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cors.html) in the *Amazon Simple Storage Service User Guide*.
**To add a CORS configuration to an Amazon S3 bucket in the console**
1. Navigate to your bucket in the [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. Choose the **Permissions** tab.
1. In **Cross-origin resource sharing (CORS)**, choose **Edit**.
1. Add the following snippet:
```
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"PUT",
"POST"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": []
}
]
```
1. Choose **Save changes**.
## Step 2: Create an IAM policy and role with appropriate Amazon S3 permissions
To use Amazon S3 resources with App Studio, administrators must create an IAM policy and role to give App Studio permissions to access the resources. The IAM policy controls the scope of data that builders can use and what operations can be called against that data, such as Create, Read, Update, or Delete. The IAM policy is then attached to an IAM role that is used by App Studio.
We recommend creating at least one IAM role per service and policy. For example, if builders are creating two applications backed by different buckets in Amazon S3, an administrator should create two IAM policies and roles, one for each of the buckets.
### Step 2a: Create an IAM policy with appropriate Amazon S3 permissions
The IAM policy that you create and use with App Studio should contain only the minimally necessary permissions on the appropriate resources for the application to follow best security practices.
**To create an IAM policy with appropriate Amazon S3 permissions**
1. Sign in to the [IAM console](https://console.aws.amazon.com/iam) with a user that has permissions to create IAM policies. We recommend using the administrative user created in [Create an administrative user for managing AWS resources](setting-up-first-time-admin.md#setting-up-create-admin-user).
1. In the left-side navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. In the **Policy editor** section, choose the **JSON** option.
1. Type or paste in a JSON policy document. The following tabs contain example policies for read only and full access to Amazon S3 resources.
**Note**
The following policies apply to all Amazon S3 resources using the wildcard (`*`). For best security practices, you should replace the wildcard with the Amazon Resource Name (ARN) of the resources, such as buckets or folders, you want to use with App Studio.
------
#### [ Read only ]
The following policy grants read only access (get and list) to the configured Amazon S3 buckets or folders.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "S3ReadOnlyForAppStudio",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "*"
}
]
}
```
------
------
#### [ Full access ]
The following policy grants full access (put, get, list, and delete) to the configured Amazon S3 buckets or folders.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "S3FullAccessForAppStudio",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": "*"
}
]
}
```
------
------
1. Choose **Next**.
1. On the **Review and create** page, provide a **Policy name**, such as **AWSAppStudioS3FullAccess**, and **Description** (optional).
1. Choose **Create policy** to create the policy.
### Step 2b: Create an IAM role to give App Studio access to Amazon S3 resources
To use Amazon S3 resources with App Studio, administrators must create an IAM role to give App Studio permissions to access the resources. The IAM role controls the scope of data that builders can use and what operations can be called against that data, such as Create, Read, Update, or Delete.
We recommend creating at least one IAM role per service and policy.
**To create an IAM role to give App Studio access to Amazon S3 resources**
1. Sign in to the [IAM console](https://console.aws.amazon.com/iam) with a user that has permissions to create IAM roles. We recommend using the administrative user created in [Create an administrative user for managing AWS resources](setting-up-first-time-admin.md#setting-up-create-admin-user).
1. In the navigation pane of the console, choose **Roles** and then choose **Create role**.
1. In **Trusted entity type**, choose **Custom trust policy**.
1. Replace the default policy with the following policy to allow App Studio applications to assume this role in your account.
You must replace the following placeholders in the policy. The values to be used can be found in App Studio, in the **Account settings** page.
+ Replace *111122223333* with the AWS account number of the account used to set up the App Studio instance, listed as **AWS account ID** in the account settings in your App Studio instance.
+ Replace *11111111-2222-3333-4444-555555555555* with your App Studio instance ID, listed as **Instance ID** in the account settings in your App Studio instance.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/IsAppStudioAccessRole": "true",
"sts:ExternalId": "11111111-2222-3333-4444-555555555555"
}
}
}
]
}
```
------
Choose **Next**.
1. In **Add permissions**, search for and select the policy that you created in the previous step (**S3ReadOnlyForAppStudio** or **S3FullAccessForAppStudio**). Choosing the **\$1** next to a policy will expand the policy to show the permissions granted by it and choosing the checkbox selects the policy.
Choose **Next**.
1. On the **Name, review, and create** page, provide a **Role name** and **Description**.
1. In **Step 3: Add tags**, choose **Add new tag** to add the following tag to provide App Studio access:
+ **Key: **`IsAppStudioDataAccessRole`
+ **Value: **`true`
1. Choose **Create role** and make note of the generated Amazon Resource Name (ARN), you will need it to create the Amazon S3 connector in App Studio in the next step.
## Step 3: Create Amazon S3 connector
Now that you have your Amazon S3 resources and IAM policy and role configured, use that information to create the connector in App Studio that builders can use to connect their apps to Amazon S3.
**Note**
You must have the Admin role in App Studio to create connectors.
**To create a connector for Amazon S3**
1. Navigate to App Studio.
1. In the left-side navigation pane, choose **Connectors** in the **Manage** section. You will be taken to a page displaying a list of existing connectors with some details about each.
1. Choose **\$1 Create connector**.
1. Choose the **Amazon S3** connector.
1. Configure your connector by filling out the following fields:
+ **Name:** Enter a name for your Amazon S3 connector.
+ **Description:** Enter a description for your Amazon S3 connector.
+ **IAM role:** Enter the Amazon Resource Name (ARN) from the IAM role created in [Step 2b: Create an IAM role to give App Studio access to Amazon S3 resources](#connectors-s3-iam-role). For more information about IAM, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html).
+ **Region:** Choose the AWS Region where your Amazon S3 resources are located.
1. Choose **Create**.
1. The newly created connector will appear in the **Connectors** list.
# Connect to Amazon Aurora
To connect App Studio with Aurora to enable builders to access and use Aurora resources in applications, you must perform the following steps:
1. [Step 1: Create and configure Aurora resources](#connectors-aurora-create-resources)
1. [Step 2: Create an IAM policy and role with appropriate Aurora permissions](#connectors-aurora-iam)
1. [Step 3: Create Aurora connector in App Studio](#connectors-aurora-create-connector)
App Studio supports the following Aurora versions:
+ Aurora MySQL Serverless V1: 5.72
+ Aurora PostgreSQL Serverless V1: 11.18, 13.9
+ Aurora MySQL Serverless V2: 13.11 or higher, 14.8 or higher, and 15.3 or higher
+ Aurora PostgreSQL Serverless V2: 13.11 or higher, 14.8 or higher, and 15.3 or higher
## Step 1: Create and configure Aurora resources
To use Aurora databases with App Studio, you must first create them and configure them appropriately. There are two Aurora database types supported by App Studio: Aurora PostgreSQL and Aurora MySQL. To compare the types, see [What's the difference between MySQL and PostgreSQL?](https://aws.amazon.com/compare/the-difference-between-mysql-vs-postgresql/). Choose the appropriate tab and follow the procedure to set up Aurora for use with App Studio apps.
------
#### [ Aurora PostgreSQL ]
Use the following procedure to create and configure an Aurora PostgreSQL database cluster to be used with App Studio.
**To set up Aurora for use with App Studio**
1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/).
1. Choose **Create database**.
1. Choose **Aurora (PostgreSQL Compatible)**.
1. In **Available versions**, choose any version greater than or equal to version `13.11`, `14.8`, and `15.3`.
1. In **Settings**, enter a **DB cluster identifier**.
1. In **Instance configuration**, choose **Serverless v2** and choose an appropriate capacity.
1. In **Connectivity**, select **Enable the RDS Data API**.
1. In **Database authentication**, select **IAM database authentication**.
1. In **Additional configuration**, in **Initial database name**, enter an initial database name for your database.
------
#### [ Aurora MySQL ]
Use the following procedure to create and configure an Aurora MySQL database cluster to be used with App Studio.
Aurora MySQL doesn’t support creation from the UI for the versions that support Data API or Serverless v1. To create a Aurora MySQL cluster that supports the Data API, you must use the AWS CLI.
**Note**
To use Aurora MySQL databases with App Studio, they must be in a virtual private cloud (VPC). For more information, see [Working with a DB cluster in a VPC](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html) in the *Amazon Aurora User Guide*.
**To set up Aurora MySQL for use with App Studio**
1. If necessary, install the AWS CLI by following the instructions in [Install or update to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.
1. Sign in to the AWS Management Console and open the Amazon RDS console at [https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/).
1. In the left-side navigation, choose **Subnet groups**.
1. Choose **Create DB subnet group**.
1. Fill out the information and create the sunbnet group. For more information about subnet groups and using VPCs, see [Working with a DB cluster in a VPC](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html) in the *Amazon Aurora User Guide*.
1. Run the following AWS CLI command:
```
aws rds create-db-cluster --database-name db_name \
--db-cluster-identifier db_cluster_identifier \
--engine aurora-mysql \
--engine-version 5.7.mysql_aurora.2.08.3 \
--engine-mode serverless \
--scaling-configuration MinCapacity=4,MaxCapacity=32,SecondsUntilAutoPause=1000,AutoPause=true \
--master-username userName \
--master-user-password userPass \
--availability-zones us-west-2b us-west-2c \
--db-subnet-group-name subnet-group-name
```
Replace the following fields:
+ Replace *db\$1name* with the desired database name.
+ Replace *db\$1cluster\$1identifier* with the desired database cluster identifier.
+ (Optional) Replace the numbers in the `scaling-configuration` field as desired.
+ Replace *userName* with a desired username.
+ Replace *userPass* with a desired password.
+ In `availability-zones`, add the availability zones from the subnet group you created.
+ Replace *subnet-group-name* with the name of the subnet group you created.
------
## Step 2: Create an IAM policy and role with appropriate Aurora permissions
To use Aurora resources with App Studio, administrators must create an IAM policy and attach it to an IAM role that is used to give App Studio permissions to access the configured resources. The IAM policy and role control the scope of data that builders can use and what operations can be called against that data, such as Create, Read, Update, or Delete.
We recommend creating at least one IAM role per service and policy.
### Step 2a: Create an IAM policy with appropriate Aurora permissions
The IAM policy that you create and use with App Studio should contain only the minimally necessary permissions on the appropriate resources for the application to follow best security practices.
**To create an IAM policy with appropriate Aurora permissions**
1. Sign in to the [IAM console](https://console.aws.amazon.com/iam) with a user that has permissions to create IAM roles. We recommend using the administrative user created in [Create an administrative user for managing AWS resources](setting-up-first-time-admin.md#setting-up-create-admin-user).
1. In the left-side navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. In the **Policy editor** section, choose the **JSON** option.
1. Replace the existing snippet with the following snippet, replacing *111122223333* with the AWS account number in which the Amazon Redshift and Aurora resources are contained.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "BaselineAuroraForAppStudio",
"Effect": "Allow",
"Action": [
"rds-data:ExecuteStatement",
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:rds:*:111122223333:cluster:*",
"arn:aws:secretsmanager:*:111122223333:secret:rds*"
]
}
]
}
```
------
1. Choose **Next**.
1. On the **Review and create** page, provide a **Policy name**, such as **Aurora\$1AppStudio** and **Description** (optional).
1. Choose **Create policy** to create the policy.
### Step 2b: Create an IAM role to give App Studio access to Aurora resources
Now, create an IAM role that uses the policy you previously created. App Studio will use this policy to get access to the configured Aurora resources.
**To create an IAM role to give App Studio access to Aurora resources**
1. Sign in to the [IAM console](https://console.aws.amazon.com/iam) with a user that has permissions to create IAM roles. We recommend using the administrative user created in [Create an administrative user for managing AWS resources](setting-up-first-time-admin.md#setting-up-create-admin-user).
1. In the navigation pane of the console, choose **Roles** and then choose **Create role**.
1. In **Trusted entity type**, choose **Custom trust policy**.
1. Replace the default policy with the following policy to allow App Studio applications to assume this role in your account.
You must replace the following placeholders in the policy. The values to be used can be found in App Studio, in the **Account settings** page.
+ Replace *111122223333* with the AWS account number of the account used to set up the App Studio instance, listed as **AWS account ID** in the account settings in your App Studio instance.
+ Replace *11111111-2222-3333-4444-555555555555* with your App Studio instance ID, listed as **Instance ID** in the account settings in your App Studio instance.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/IsAppStudioAccessRole": "true",
"sts:ExternalId": "11111111-2222-3333-4444-555555555555"
}
}
}
]
}
```
------
Choose **Next**.
1. In **Add permissions**, search and select the policy you created earlier (**Aurora\$1AppStudio**). Choosing the **\$1** next to a policy will expand the policy to show the permissions granted by it and choosing the checkbox selects the policy.
Choose **Next**.
1. On the **Name, review, and create** page, provide a **Role name** and **Description**.
1. In **Step 3: Add tags**, choose **Add new tag** to add the following tag to provide App Studio access:
+ **Key: **`IsAppStudioDataAccessRole`
+ **Value: **`true`
1. Choose **Create role** and make note of the generated Amazon Resource Name (ARN), you will need it when [creating the Aurora connector in App Studio](#connectors-aurora-create-connector).
## Step 3: Create Aurora connector in App Studio
Now that you have your Aurora resources and IAM policy and role configured, use that information to create the connector in App Studio that builders can use to connect their apps to Aurora.
**Note**
You must have the Admin role in App Studio to create connectors.
**To create a connector for Aurora**
1. Navigate to App Studio.
1. In the left-side navigation pane, choose **Connectors** in the **Manage** section. You will be taken to a page displaying a list of existing connectors with some details about each.
1. Choose **\$1 Create connector**.
1. Choose the **Amazon Aurora** connector.
1. Configure your connector by filling out the following fields:
+ **Name:** Enter a name for your Aurora connector.
+ **Description:** Enter a description for your Aurora connector.
+ **IAM role:** Enter the Amazon Resource Name (ARN) from the IAM role created in [Step 2b: Create an IAM role to give App Studio access to Aurora resources](#connectors-aurora-iam-role). For more information about IAM, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html).
+ **Secret ARN:** Enter the secret ARN of the database cluster. For information about where to find the secret ARN, see [Viewing the details about a secret for a DB cluser](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html#rds-secrets-manager-view-db-cluster) in the *Amazon Aurora User Guide*.
+ **Region:** Choose the AWS Region where your Aurora resources are located.
+ **Database ARN:** Enter the ARN of the database cluster. The ARN can be found in the **Configuration** tab of the database cluster, similar to the secret ARN.
+ **Database type:** Choose the database type, **MySQL** or **PostgreSQL**, that matches the type of database created in [Step 1: Create and configure Aurora resources](#connectors-aurora-create-resources).
+ **Database name:** Enter the name of the database, which can also be found in the **Configuration** tab of the database cluster.
+ **Available tables:** Select the tables you want to use with App Studio using this connector.
1. Choose **Next** to review or define the entity mappings.
1. Choose **Create** to create the Aurora connector. The newly created connector will appear in the **Connectors** list.
# Connect to Amazon Bedrock
To connect App Studio with Amazon Bedrock so builders can access and use Amazon Bedrock in applications, you must perform the following steps:
1. [Step 1: Enable Amazon Bedrock models](#connectors-bedrock-model-access)
1. [Step 2: Create an IAM policy and role with appropriate Amazon Bedrock permissions](#connectors-bedrock-iam)
1. [Step 3: Create Amazon Bedrock connector](#connectors-bedrock-create-connector)
## Step 1: Enable Amazon Bedrock models
Use the following procedure to enable Amazon Bedrock models.
**To enable Amazon Bedrock models**
1. Sign in to the AWS Management Console and open the Amazon Bedrock console at [https://console.aws.amazon.com/bedrock/](https://console.aws.amazon.com/bedrock/).
1. In the left navigation pane, choose **Model access**.
1. Enable the models that you want to use. For more information, see [Manage access to Amazon Bedrock foundation models](https://docs.aws.amazon.com/bedrock/latest/userguide/model-access.html).
## Step 2: Create an IAM policy and role with appropriate Amazon Bedrock permissions
To use Amazon Bedrock resources with App Studio, administrators must create an IAM policy and role to give App Studio permissions to access the resources. The IAM policy controls what resources and what operations can be called against those resources, such as `InvokeModel`. The IAM policy is then attached to an IAM role that is used by App Studio.
### Step 2a: Create an IAM policy with appropriate Amazon Bedrock permissions
The IAM policy that you create and use with App Studio should contain only the minimally necessary permissions on the appropriate resources for the application to follow best security practices.
**To create an IAM policy with appropriate Amazon Bedrock permissions**
1. Sign in to the [IAM console](https://console.aws.amazon.com/iam) with a user that has permissions to create IAM policies. We recommend using the administrative user created in [Create an administrative user for managing AWS resources](setting-up-first-time-admin.md#setting-up-create-admin-user).
1. In the left-side navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. In the **Policy editor** section, choose the **JSON** option.
1. Type or paste in a JSON policy document. The following example policy provides `InvokeModel` on all Amazon Bedrock resources, using the wildcard (`*`).
For best security practices, you should replace the wildcard with the Amazon Resource Name (ARN) of the resources you want to use with App Studio.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "BedrockAccessForAppStudio",
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel"
],
"Resource": "*"
}
]
}
```
------
1. Choose **Next**.
1. On the **Review and create** page, provide a **Policy name**, such as **BedrockAccessForAppStudio**, and **Description** (optional).
1. Choose **Create policy** to create the policy.
### Step 2b: Create an IAM role to give App Studio access to Amazon Bedrock
To use Amazon Bedrock with App Studio, administrators must create an IAM role to give App Studio permissions to access the resources. The IAM role controls the scope of permissions for App Studio apps to use, and is used when creating the connector. We recommend creating at least one IAM role per service and policy.
**To create an IAM role to give App Studio access to Amazon Bedrock**
1. Sign in to the [IAM console](https://console.aws.amazon.com/iam) with a user that has permissions to create IAM roles. We recommend using the administrative user created in [Create an administrative user for managing AWS resources](setting-up-first-time-admin.md#setting-up-create-admin-user).
1. In the navigation pane of the console, choose **Roles** and then choose **Create role**.
1. In **Trusted entity type**, choose **Custom trust policy**.
1. Replace the default policy with the following policy to allow App Studio applications to assume this role in your account.
You must replace the following placeholders in the policy. The values to be used can be found in App Studio, in the **Account settings** page.
+ Replace *111122223333* with the AWS account number of the account used to set up the App Studio instance, listed as **AWS account ID** in the account settings in your App Studio instance.
+ Replace *11111111-2222-3333-4444-555555555555* with your App Studio instance ID, listed as **Instance ID** in the account settings in your App Studio instance.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/IsAppStudioAccessRole": "true",
"sts:ExternalId": "11111111-2222-3333-4444-555555555555"
}
}
}
]
}
```
------
Choose **Next**.
1. In **Add permissions**, search for and select the policy that you created in the previous step (**BedrockAccessForAppStudio**). Choosing the **\$1** next to a policy will expand the policy to show the permissions granted by it and choosing the checkbox selects the policy.
Choose **Next**.
1. On the **Name, review, and create** page, provide a **Role name** and **Description**.
1. In **Step 3: Add tags**, choose **Add new tag** to add the following tag to provide App Studio access:
+ **Key: **`IsAppStudioDataAccessRole`
+ **Value: **`true`
1. Choose **Create role** and make note of the generated Amazon Resource Name (ARN), you will need it when creating the Amazon Bedrock connector in App Studio in the next step.
## Step 3: Create Amazon Bedrock connector
Now that you have your Amazon Bedrock resources and IAM policy and role configured, use that information to create the connector in App Studio that builders can use to connect their apps to Amazon Bedrock.
**Note**
You must have the Admin role in App Studio to create connectors.
**To create a connector for Amazon Bedrock**
1. Navigate to App Studio.
1. In the left-side navigation pane, choose **Connectors** in the **Manage** section. You will be taken to a page displaying a list of existing connectors with some details about each.
1. Choose **\$1 Create connector**.
1. Choose **Other AWS services** from the list of connector types.
1. Configure your connector by filling out the following fields:
+ **Name:** Enter a name for your Amazon Bedrock connector.
+ **Description:** Enter a description for your Amazon Bedrock connector.
+ **IAM role:** Enter the Amazon Resource Name (ARN) from the IAM role created in [Step 2b: Create an IAM role to give App Studio access to Amazon Bedrock](#connectors-bedrock-iam-role). For more information about IAM, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html).
+ **Service:** Choose **Bedrock Runtime**.
**Note**
**Bedrock Runtime** is used to make inference requests for models hosted in Amazon Bedrock, whereas **Bedrock** is used to manage, train, and deploy models.
+ **Region:** Choose the AWS Region where your Amazon Bedrock resources are located.
1. Choose **Create**.
1. The newly created connector will appear in the **Connectors** list.
# Connect to Amazon Simple Email Service
To connect App Studio with Amazon SES to enable builders to use it to send email notifications from their apps, you must perform the following steps:
1. [Step 1: Configure Amazon SES resources](#connectors-ses-create-resources)
1. [Step 2: Create an IAM policy and role with appropriate Amazon SES permissions](#connectors-ses-iam-policy-role)
1. [Step 3: Create Amazon SES connector](#connectors-ses-create-connector)
## Step 1: Configure Amazon SES resources
If you haven't, you must first configure Amazon SES to use it to send emails. To learn more about setting up Amazon SES, see [Getting started with Amazon Simple Email Service](https://docs.aws.amazon.com/ses/latest/dg/getting-started.html) in the *Amazon Simple Email Service Developer Guide*.
## Step 2: Create an IAM policy and role with appropriate Amazon SES permissions
To use Amazon SES resources with App Studio, administrators must create an IAM role to give App Studio permissions to access the resources. The IAM role controls what Amazon SES functions or resources can be used in App Studio apps.
We recommend creating at least one IAM role per service and policy.
### Step 2a: Create an IAM policy with appropriate Amazon SES permissions
The IAM policy that you create and use with App Studio should contain only the minimally necessary permissions on the appropriate resources for the application to follow best security practices.
**To create an IAM policy with appropriate Amazon SES permissions**
1. Sign in to the [IAM console](https://console.aws.amazon.com/iam) with a user that has permissions to create IAM policies. We recommend using the administrative user created in [Create an administrative user for managing AWS resources](setting-up-first-time-admin.md#setting-up-create-admin-user).
1. In the left-side navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. In the **Policy editor** section, choose the **JSON** option.
1. Type or paste in the following JSON policy document.
**Note**
The following policies apply to all Amazon SES resources using the wildcard (`*`). For best security practices, you should replace the wildcard with the Amazon Resource Name (ARN) of the resources you want to use with App Studio.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ses:SendEmail",
"Resource": "*"
}
]
}
```
------
1. Choose **Next**.
1. On the **Review and create** page, provide a **Policy name**, such as **SESForAppStudioPolicy**, and **Description** (optional).
1. Choose **Create policy** to create the policy.
### Step 2b: Create an IAM role to give App Studio access to Amazon SES
Now, create an IAM role that uses the policy you previously created. App Studio will use this policy to get access to Amazon SES.
**To create an IAM role to give App Studio access to Amazon SES**
1. Sign in to the [IAM console](https://console.aws.amazon.com/iam) with a user that has permissions to create IAM roles. We recommend using the administrative user created in [Create an administrative user for managing AWS resources](setting-up-first-time-admin.md#setting-up-create-admin-user).
1. In the left-side navigation pane, choose **Roles**
1. Choose **Create role**.
1. In **Trusted entity type**, choose **Custom trust policy**.
1. Replace the default policy with the following policy to allow App Studio applications to assume this role in your account.
You must replace the following placeholders in the policy. The values to be used can be found in App Studio, in the **Account settings** page.
+ Replace *111122223333* with the AWS account number of the account used to set up the App Studio instance, listed as **AWS account ID** in the account settings in your App Studio instance.
+ Replace *11111111-2222-3333-4444-555555555555* with your App Studio instance ID, listed as **Instance ID** in the account settings in your App Studio instance.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/IsAppStudioAccessRole": "true",
"sts:ExternalId": "11111111-2222-3333-4444-555555555555"
}
}
}
]
}
```
------
Choose **Next**.
1. In **Add permissions**, search for and select the policy that you created in the previous step (**SESForAppStudioPolicy**). Choosing the **\$1** next to a policy will expand the policy to show the permissions granted by it and choosing the checkbox selects the policy.
Choose **Next**.
1. On the **Name, review, and create** page, provide a **Role name** and **Description**.
1. In **Step 3: Add tags**, choose **Add new tag** to add the following tag to provide App Studio access:
+ **Key: **`IsAppStudioDataAccessRole`
+ **Value: **`true`
1. Choose **Create role** and make note of the generated Amazon Resource Name (ARN), you will need it when [creating the Amazon SES connector in App Studio](#connectors-ses-create-connector).
## Step 3: Create Amazon SES connector
Now that you Amazon SES and an IAM policy and role configured, use that information to create the connector in App Studio that builders can use to use Amazon SES in their apps.
**Note**
You must have the Admin role in App Studio to create connectors.
**To create a connector for Amazon SES**
1. Navigate to App Studio.
1. In the left-side navigation pane, choose **Connectors** in the **Manage** section. You will be taken to a page displaying a list of existing connectors with some details about each.
1. Choose **\$1 Create connector**.
1. Choose **Other AWS Services** from the list of connector types.
1. Configure your connector by filling out the following fields:
+ **Name:** Enter a name for your Amazon SES connector.
+ **Description:** Enter a description for your Amazon SES connector.
+ **IAM role:** Enter the Amazon Resource Name (ARN) from the IAM role created in [Step 2b: Create an IAM role to give App Studio access to Amazon SES](#connectors-ses-iam-role). For more information about IAM, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html).
+ **Service:** Choose **Simple Email Service**.
+ **Region:** Choose the AWS Region where your Amazon SES resources are located.
1. Choose **Create**.
1. The newly created connector will appear in the **Connectors** list.
# Connect to AWS services using the Other AWS services connector
While App Studio offers some connectors that are specific to certain AWS services, you can also connect to other AWS services using the **Other AWS services** connector.
**Note**
It is recommended to use the connector specific to the AWS service if it is available.
To connect App Studio with AWS services to enable builders to access and use the service's resources in applications, you must perform the following steps:
1. [Create an IAM role to give App Studio access to AWS resources](#connectors-aws-iam-role)
1. [Create an **Other AWS services** connector](#connectors-aws-create-connector)
## Create an IAM role to give App Studio access to AWS resources
To use AWS services and resources with App Studio, administrators must create an IAM role to give App Studio permissions to access the resources. The IAM role controls the scope of resources that builders can access and what operations can be called against the resources. We recommend creating at least one IAM role per service and policy.
**To create an IAM role to give App Studio access to AWS resources**
1. Sign in to the [IAM console](https://console.aws.amazon.com/iam) with a user that has permissions to create IAM roles. We recommend using the administrative user created in [Create an administrative user for managing AWS resources](setting-up-first-time-admin.md#setting-up-create-admin-user).
1. In the navigation pane of the console, choose **Roles** and then choose **Create role**.
1. In **Trusted entity type**, choose **Custom trust policy**.
1. Replace the default policy with the following policy to allow App Studio applications to assume this role in your account.
You must replace the following placeholders in the policy. The values to be used can be found in App Studio, in the **Account settings** page.
+ Replace *111122223333* with the AWS account number of the account used to set up the App Studio instance, listed as **AWS account ID** in the account settings in your App Studio instance.
+ Replace *11111111-2222-3333-4444-555555555555* with your App Studio instance ID, listed as **Instance ID** in the account settings in your App Studio instance.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/IsAppStudioAccessRole": "true",
"sts:ExternalId": "11111111-2222-3333-4444-555555555555"
}
}
}
]
}
```
------
Choose **Next**.
1. In **Add permissions**, search and select the policies that grant the appropriate permissions for the role. Choosing the **\$1** next to a policy will expand the policy to show the permissions granted by it and choosing the checkbox selects the policy. For more information about IAM, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html).
Choose **Next**.
1. In **Role details**, provide a name and description.
1. In **Step 3: Add tags**, choose **Add new tag** to add the following tag to provide App Studio access:
+ **Key: **`IsAppStudioDataAccessRole`
+ **Value: **`true`
1. Choose **Create role** and make note of the generated Amazon Resource Name (ARN), you will need it when [creating the **Other AWS services** connector in App Studio](#connectors-aws-create-connector).
## Create an **Other AWS services** connector
Now that you have your IAM role configured, use that information to create the connector in App Studio that builders can use to connect their apps to the service and resources.
**Note**
You must have the Admin role in App Studio to create connectors.
**To connect to AWS services using the **Other AWS services** connector**
1. Navigate to App Studio.
1. In the left-side navigation pane, choose **Connectors** in the **Manage** section.
1. Choose **\$1 Create connector**.
1. Choose **Other AWS services** in the **AWS connectors** section of the supported services list.
1. Configure your AWS service connector by filling out the following fields:
+ **Name: **Provide a name for your connector.
+ **Description: **Provide a description for your connector.
+ **IAM role: ** Enter the Amazon Resource Name (ARN) from the IAM role that was created in [Create an IAM role to give App Studio access to AWS resources](#connectors-aws-iam-role).
+ **Service: **Select the AWS service you want to connect to App Studio.
+ **Region: **Select the AWS Region where your AWS resources are located.
1. Choose **Create**. The newly created connector will appear in the connectors list.
# Use encrypted data sources with CMKs
This topic contains information about setting up and connecting App Studio to data sources that are encrypted using a [AWS KMS Customer Managed Key (CMK)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk).
**Contents**
+ [
## Using encrypted managed data storage tables
](#encrypted-data-cmk-managed-data)
+ [
## Using encrypted DynamoDB tables
](#encrypted-data-cmk-ddb)
## Using encrypted managed data storage tables
Use the following procedure to encrypt the DynamoDB tables used by managed storage entities in your App Studio apps. For more information about managed data entities, see [Managed data entities in AWS App Studio](managed-data-entities.md).
**To use encrypted managed data storage tables**
1. If necessary, create the managed data entities in an application in App Studio. For more information, see [Creating an entity with an App Studio managed data source](data-entities-create.md#data-entities-create-managed-data-source).
1. Add a policy statement with permissions to encrypt and decrypt table data with your CMK to the `AppStudioManagedStorageDDBAccess` IAM role by performing the following steps:
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
**Important**
You must use the same account used to create your App Studio instance.
1. In the navigation pane of the IAM console, choose **Roles**.
1. Choose `AppStudioManagedStorageDDBAccess`.
1. In **Permissions policies**, choose **Add permissions** and then choose **Create inline policy**.
1. Choose **JSON** and replace the contents with the following policy, replacing the following:
+ Replace *111122223333* with the AWS account number of the account used to set up the App Studio instance, listed as **AWS account ID** in the account settings in your App Studio instance.
+ Replace *CMK\$1id* with CMK ID. To find it, see [Find the key ID and key ARN](https://docs.aws.amazon.com/kms/latest/developerguide/find-cmk-id-arn.html).
1. Encrypt the DynamoDB tables that are used by your App Studio managed data entities by performing the following steps:
1. Open the Amazon DynamoDB console at [https://console.aws.amazon.com/dynamodbv2/](https://console.aws.amazon.com/dynamodbv2/).
1. Choose the table you want to encrypt. You can find the table name in the **Connection** tab of the corresponding entity in App Studio.
1. Choose **Additional settings**.
1. In **Encryption**, choose **Manage encryption**.
1. Choose **Stored in your account, and owned and managed by you** and select your CMK.
1. Test your changes by republishing your app and ensuring that reading and writing data works in both the Testing and Production environments, and using this table in another entity works as expected.
**Note**
Any newly added managed data entities use the DynamoDB managed key by default, and must be updated to using the CMK by following the previous steps.
## Using encrypted DynamoDB tables
Use the following procedure to configure encrypted DynamoDB tables to be used in your App Studio apps.
**To use encrypted DynamoDB tables**
1. Follow the instructions in [Step 1: Create and configure DynamoDB resources](connectors-dynamodb.md#connectors-dynamodb-create-resources) with the following changes:
1. Configure your tables to be encrypted. For more information, see [Specifying the encryption key for a new table](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html#encryption.tutorial-creating) in the *Amazon DynamoDB Developer Guide*.
1. Follow the instructions in [Step 2: Create an IAM policy and role with appropriate DynamoDB permissions](connectors-dynamodb.md#connectors-dynamodb-iam), and then update the permission policy on the new role by adding a new policy statement with permits it to encrypt and decrypt table data using your CMK by performing the following steps:
1. If necessary, navigate to your role in the IAM console.
1. In **Permissions policies**, choose **Add permissions** and then choose **Create inline policy**.
1. Choose **JSON** and replace the contents with the following policy, replacing the following:
+ Replace *team\$1account\$1id* with your App Studio team ID, which can be found in your account settings.
+ Replace *CMK\$1id* with CMK ID. To find it, see [Find the key ID and key ARN](https://docs.aws.amazon.com/kms/latest/developerguide/find-cmk-id-arn.html).
1. Create the connector by following the instructions in [Create DynamoDB connector](connectors-dynamodb.md#connectors-dynamodb-create-connector) and using the role you created earlier.
1. Test the configuration by publishing an app that uses the DynamoDB connector and table to Testing or Production. Ensure that reading and writing data works, and using this table to create another entity works as well.
**Note**
When any new DynamoDB tables are created, you must configure them to be encrypted using a CMK by following the previous steps.
# Connect to third-party services
**Topics**
+ [
## OpenAPI Connector vs. API Connector
](#add-connector-third-party-openapi-vs-api)
+ [
# Connect to third-party services and APIs (generic)
](connectors-api.md)
+ [
# Connect to services with OpenAPI
](connectors-openapi.md)
+ [
# Connect to Salesforce
](connectors-salesforce.md)
## OpenAPI Connector vs. API Connector
To send API requests to third-party services from App Studio applications, you must create and configure a connector that the application uses to authenticate with the service and configure the API calls. App Studio provides both the `API Connector` and `OpenAPI Connector` connector types to accomplish this, which are described as follows:
+ **API Connector: **Used to configure authentication and request information for any type of REST API.
+ **OpenAPI Connector: **Used to configure authentication and request information for APIs that have adopted the OpenAPI Specification (OAS). APIs that adhere to the OAS provide several benefits, including standardization, security, governance, and documentation.
App Studio recommends using the `OpenAPI Connector` for any APIs that adhere to the OAS, and provide an OpenAPI Specification File. For more information about OpenAPI, see [What is OpenAPI?](https://swagger.io/docs/specification/v3_0/about/) in the Swagger documentation.
# Connect to third-party services and APIs (generic)
Use the following procedure to create a generic **API Connector** in App Studio. The **API Connector** is used to provide App Studio apps with access to third-party services, resources, or operations.
**To connect to third-party services with the **API Connector****
1. In the left-side navigation pane, choose **connectors** in the **Manage** section. You will be taken to a page displaying a list of existing connectors with some details about each.
1. Choose **\$1 Create connector**.
1. Choose **API Connector**. Now, configure your connector by filling out the following fields.
1. **Connector name: **Provide a name for your connector.
1. **Connector description: **Provide a description for your connector.
1. **Base URL: ** The website or host of the third-party connection. For example, `www.slack.com`.
1. **Authentication method:** Choose the method for authenticating with the target service.
+ **None:** Access the target service with no authentication.
+ **Basic:** Access the target service using a **Username** and **Password** obtained from the service being connected to.
+ **Bearer Token:** Access the target service using the **Token value** of an authentication token obtained from the service's user account or API settings.
+ **OAuth 2.0:** Access the target service using the OAuth 2.0 protocol, which grants App Studio access to the service and resources without sharing any credentials or identity. To use the OAuth 2.0 authentication method, you must first create an application from the service being connected to that represents App Studio to obtain the necessary information. With that information, fill out the following fields:
1. **Client credentials flow:** Ideal for system-to-system interactions where the application acts on its own behalf without user interaction. For example, a CRM app that updates Salesforce records automatically based on new records added by users, or an app that retrieves and displays transaction data in reports.
1. In **Client ID**, enter the ID obtained from the OAuth app created in the target service.
1. In **Client secret**, enter the secret obtained from the OAuth app created in the target service.
1. In **Access token URL**, enter the token URL obtained from the OAuth app created in the target service.
1. Optionally, in **Scopes**, enter the scopes for the application. Scopes are permissions or access levels required by the application. Refer to the target service's API documentation to understand their scopes, and configure only those that your App Studio app needs.
Choose **Verify connection** to test the authentication and connection.
1. **Authorization code flow:** Ideal for applications that require acting on behalf of a user. For example, a customer support app where users log in and view and update support tickets, or a sales app where each team members logs in to view and manage their sales data.
1. In **Client ID**, enter the ID obtained from the OAuth app created in the target service.
1. In **Client secret**, enter the secret obtained from the OAuth app created in the target service.
1. In **Authorization URL**, enter the authorization URL from the target service.
1. In **Access token URL**, enter the token URL obtained from the OAuth app created in the target service.
1. Optionally, in **Scopes**, enter the scopes for the application. Scopes are permissions or access levels required by the application. Refer to the target service's API documentation to understand their scopes, and configure only those that your App Studio app needs.
1. **Headers:** Add HTTP headers that are used to provide metadata about the request or response. You can add both keys and values, or only provide a key to which the builder can provide a value in the application.
1. **Query parameters:** Add query parameters that are used to pass options, filters, or data as part of the request URL. Like headers, you can provide both a key and value, or only provide a key to which the builder can provide a value in the application.
1. Choose **Create**. The newly created connector will appear in the **Connectors** list.
Now that the connector is created, builders can use it in their apps.
# Connect to services with OpenAPI
To connect App Studio with services using OpenAPI to enable builders to build applications that send requests and receive responses from the services, perform the following steps:
1. [Get the OpenAPI Specification file and gather service information](#connectors-openapi-create-resources)
1. [Create OpenAPI connector](#connectors-openapi-create-connector)
## Get the OpenAPI Specification file and gather service information
To connect a service to App Studio with OpenAPI, perform the following steps:
1. Go to the service that you want to connect to App Studio and find an OpenAPI Specification JSON file.
**Note**
App Studio supports OpenAPI Specification files that conform to version OpenAPI Specification Version 3.0.0 or higher.
1. Gather the necessary data to configure the OpenAPI connector, including the following:
+ The base URL for connecting to the service.
+ Authentication credentials, such as a token or username/password.
+ If applicable, any headers.
+ If applicable, any query parameters.
## Create OpenAPI connector
**To create a connector for OpenAPI**
1. Navigate to App Studio.
1. In the left-side navigation pane, choose **Connectors** in the **Manage** section. You will be taken to a page displaying a list of existing connectors with some details about each.
1. Choose **\$1 Create connector**.
1. Choose **OpenAPI Connector** from the list of connector types. Now, configure your connector by filling out the following fields.
1. **Name:** Enter a name for your OpenAPI connector.
1. **Description:** Enter a description for your OpenAPI connector.
1. **Base URL:** Enter the base URL for connecting to the service.
1. **Authentication method:** Choose the method for authenticating with the target service.
+ **None:** Access the target service with no authentication.
+ **Basic:** Access the target service using a **Username** and **Password** obtained from the service being connected to.
+ **Bearer Token:** Access the target service using the **Token value** of an authentication token obtained from the service's user account or API settings.
+ **OAuth 2.0:** Access the target service using the OAuth 2.0 protocol, which grants App Studio access to the service and resources without sharing any credentials or identity. To use the OAuth 2.0 authentication method, you must first create an application from the service being connected to that represents App Studio to obtain the necessary information. With that information, fill out the following fields:
1. **Client credentials flow:**
1. In **Client ID**, enter the ID from the target service.
1. In **Client secret**, enter the secret from the target service.
1. In **Access token URL**, enter the token URL from the target service.
1. Optionally, in **Scopes**, enter the scopes for the application. Scopes are permissions or access levels required by the application. Refer to the target service's API documentation to understand their scopes, and configure only those that your App Studio app needs.
Add any **Variables** to be sent with the service with each call, and choose **Verify connection** to test the authentication and connection.
1. **Authorization code flow:**
1. In **Client ID**, enter the ID from the target service.
1. In **Client secret**, enter the secret from the target service.
1. In **Authorization URL**, enter the authorization URL from the target service.
1. In **Access token URL**, enter the token URL from the target service.
1. Optionally, in **Scopes**, enter the scopes for the application. Scopes are permissions or access levels required by the application. Refer to the target service's API documentation to understand their scopes, and configure only those that your App Studio app needs.
1. **Variables:** Add variables to be sent to the service with each call. Variables added during configuration are securely stored and only accessed during runtime of applications that use the connection.
1. **Headers:** Add HTTP headers that are used to provide metadata about the request or response. You can add both keys and values, or only provide a key to which the builder can provide a value in the application.
1. **Query parameters:** Add query parameters that are used to pass options, filters, or data as part of the request URL. Like headers, you can provide both a key and value, or only provide a key to which the builder can provide a value in the application.
1. **OpenAPI Spec File:** Upload an OpenAPI Specification JSON file by dragging and dropping, or choosing **Select a file** to navigate your local file system and choose the file to be uploaded.
Once added, the file is processed and a list of available options are displayed. Select the necessary operations for your connector.
1. Choose **Create**. The newly created connector will appear in the **Connectors** list.
Now that the connector is created, builders can use it in their apps.
# Connect to Salesforce
To connect App Studio with Salesforce to enable builders to access and use Salesforce resources in applications, you must create and configure a connected app in Salesforce and create a Salesforce connector in App Studio.
**To connect Salesforce with App Studio**
1. In App Studio, in the navigation pane, choose **Connectors** in the **Manage** section. You will be taken to a page displaying a list of existing connectors with some details about each.
1. Choose **\$1 Create connector**.
1. Choose **Salesforce** from the list of connector types to open the connector creation page.
1. Take note of the **Redirect URL**, which you will use to configure Salesforce in the following steps.
1. The next step is to create a connected app in Salesforce. In another tab or window, navigate to your Salesforce instance.
1. In the Quick Find box, search **App Manager** and then select **App Manager**.
1. Choose **New Connected App**.
1. In **Connected App Name** and **API Name**, enter a name for your app. It does not have to match your App Studio app name.
1. Provide contact information as needed.
1. In the **API (Enable OAuth Settings)** section, enable **Enable OAuth Settings**.
1. In **Callback URL**, enter the **Redirect URL** you noted earlier from App Studio.
1. In **Selected OAuth Scopes**, add the necessary permissions scopes from the list. App Studio can interact with Salesforce REST APIs to perform CRUD operations on five objects: Accounts, Cases, Contacts, Leads, and Opportunities. It is recommended to add **Full access (full)** to ensure that your App Studio app has all relevant permissions or scopes.
1. Disable the **Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows** option. PKCE is not supported by App Studio.
1. Enable **Require Secret for Web Server Flow** and **Require Secret for Refresh Token Flow** to follow the best security practices.
1. App Studio supports both of the following authentication flows:
+ **Client Credentials Flow**: Ideal for server-to-server interactions where the application acts on its own behalf without user interaction. For example, listing all leads information for a team of temporary employees who do not have Salesforce access.
+ **Authorization Code Flow**: Suitable for applications that act on behalf of a user, such as personal data access or actions. For example, listing each sales manager’s leads sourced or owned by them to perform other tasks through this app.
+ For the Client Credentials Flow:
1. Enable **Enable Client Credentials Flow**. Review and confirm the message.
1. Save the app.
1. You must select an execution user, although there is no user interaction in the flow. By selecting an execution user, Salesforce returns access tokens on behalf of the user.
1. In the **App Manager**, from the list of apps, choose the arrow of the App Studio app and choose **Manage**.
1. Choose **Edit Policies**
1. In **Client Credentials Flow**, add the appropriate user.
+ For the Authorization Code Flow, enable **Enable Authorization Code and Credentials Flow**
1. Salesforce provides a Client ID and Client Secret, which must be used to configure the connector in App Studio in the following steps.
1. In the **App Manager**, choose the arrow of the App Studio app and choose **View**.
1. In the **API (Enable OAuth Settings)** section, choose **Manage Consumer Details** . This may send an email for a verification key, which you need to enter for confirmation.
1. Note the **Consumer Key** (Client ID) and the **Consumer Secret** (Client Secret).
1. Back in App Studio, configure and create your connector by filling out the following fields.
1. In **Name**, enter a name for your Salesforce connector.
1. In **Description**, enter a description for your Salesforce connector.
1. In **Base URL**, enter the base URL for your Salesforce instance. It should look like this: `https://hostname.salesforce.com/services/data/v60.0`, replacing *hostname* with your Salesforce instance name.
1. In **Authentication method**, ensure **OAuth 2.0** is selected.
1. In **OAuth 2.0 Flow**, select the OAuth authentication method and fill out the related fields:
+ Select **Client credentials flow** for use in applications that act on their own behalf, for system-to-system integrations.
1. In **Client ID**, enter the **Consumer Key** obtained previously from Salesforce.
1. In **Client secret**, enter the **Consumer Secret**, obtained previously from Salesforce.
1. In **Access token URL**, enter the OAuth 2.0 token endpoint. It should look like this: `https://hostname/services/oauth2/token`, replacing *hostname* with your Salesforce instance name. For more information, see the [Salesforce OAuth Endpoints](https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_endpoints.htm&type=5) documentation.
1. Choose **Verify connection** to test the authentication and connection.
+ Select **Authorization code flow** for use in applications that act on behalf of the user.
1. In **Client ID**, enter the **Consumer Key** obtained previously from Salesforce.
1. In **Client secret**, enter the **Consumer Secret**, obtained previously from Salesforce.
1. In **Authorization URL**, enter the authorization endpoint. It should look like this: `https://hostname/services/oauth2/authorize`, replacing *hostname* with your Salesforce instance name. For more information, see the [Salesforce OAuth Endpoints](https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_endpoints.htm&type=5) documentation.
1. In **Access token URL**, enter the OAuth 2.0 token endpoint. It should look like this: `https://hostname/services/oauth2/token`, replacing *hostname* with your Salesforce instance name. For more information, see the [Salesforce OAuth Endpoints](https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_endpoints.htm&type=5) documentation.
1. In **Operations**, select the Salesforce operations that your connector will support. The operations in this list are predefined and represent common tasks within Salesforce, such as creating, retrieving, updating, or deleting records from common objects.
1. Choose **Create**. The newly created connector will appear in the **Connectors** list.
# Viewing, editing, and deleting connectors
**To view, edit, or delete existing connectors**
1. In the navigation pane, choose **Connectors** in the **Manage** section. You will be taken to a page displaying a list of existing connectors with the following details for each connector:
+ **Name: **The name of the connector that was provided during creation.
+ **Description: **The description of the connector that was provided during creation.
+ **Connected to: **The service that the connector is connecting to App Studio. A value of **API** represents a connection to a third-party service.
+ **Created by: **The user that created the connector.
+ **Date created: **The date that the connector was created.
1. To view more details about a connector, or edit or delete a connector, use the following instructions:
+ To see more information about a specific connector, choose **View** for that connector.
+ To edit a connector, choose the dropdown menu next to **View** and choose **Edit**.
+ To delete a connector, choose the dropdown menu next to **View** and choose **Delete**.