End of support notice: On October 7, 2026, AWS will end support for AWS Proton. After October 7, 2026, you will no longer be able to access the AWS Proton console or AWS Proton resources. Your deployed infrastructure will remain intact. For more information, see [AWS Proton Service Deprecation and Migration Guide](https://docs.aws.amazon.com/proton/latest/userguide/proton-end-of-support.html).
# Setting up
Complete the tasks in this section so that you can create and register service and environment templates. You need these to deploy environments and services with AWS Proton.
**Note**
We're offering AWS Proton at no additional expense. You can create, register, and maintain service and environment templates at no charge. You can also count on AWS Proton to self-manage its own operations, such as storage, security, and deployment. The only expenses that you incur while using AWS Proton are the following.
Costs of deploying and using AWS Cloud resources that you instructed AWS Proton to deploy and maintain for you.
Costs of maintaining an AWS CodeStar connection to your code repository.
Costs of maintaining an Amazon S3 bucket, if you use a bucket to provide inputs to AWS Proton. You can avoid these costs if you switch to [Template sync configurations](ag-template-sync-configs.md) using Git repositories for your [Template bundles](ag-template-authoring.md#ag-template-bundles).
**Topics**
+ [Setting up with IAM](ag-setting-up-iam.md)
+ [Setting up with AWS Proton](setting-up-for-service.md)
# Setting up with IAM
When you sign up for AWS, your AWS account is automatically signed up for all services in AWS, including AWS Proton. You're charged only for the services and resources that you use.
**Note**
You and your team, including administrators and developers, must all be under the same account.
## Sign up for AWS
If you do not have an AWS account, complete the following steps to create one.
**To sign up for an AWS account**
1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).
1. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.
When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).
## Create an IAM user
To create an administrator user, choose one of the following options.
****
| Choose one way to manage your administrator | To | By | You can also |
| --- | --- | --- | --- |
| In IAM Identity Center (Recommended) | Use short-term credentials to access AWS.This aligns with the security best practices. For information about best practices, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*. | Following the instructions in [Getting started](https://docs.aws.amazon.com//singlesignon/latest/userguide/getting-started.html) in the AWS IAM Identity Center User Guide. | Configure programmatic access by [Configuring the AWS CLI to use AWS IAM Identity Center](https://docs.aws.amazon.com//cli/latest/userguide/cli-configure-sso.html) in the AWS Command Line Interface User Guide. |
| In IAM (Not recommended) | Use long-term credentials to access AWS. | Following the instructions in [ Create an IAM user for emergency access](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started-emergency-iam-user.html) in the IAM User Guide. | Configure programmatic access by [Manage access keys for IAM users](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_credentials_access-keys.html) in the IAM User Guide. |
## Setting up AWS Proton service roles
There are a few IAM roles that you might want to create for different parts of your AWS Proton solution. You can create them in advance using the IAM console, or you can use the AWS Proton console to create them for you.
Create AWS Proton *environment roles* to allow AWS Proton to make API calls to other AWS services, like CloudFormation, AWS CodeBuild, and various compute and storage services, on your behalf to provision resources for you. A *AWS-managed provisioning role* is required when an environment or any of the service instances running in it use [AWS-managed provisioning](ag-works-prov-methods.md#ag-works-prov-methods-direct). A *CodeBuild role* is required when an environment or any of its service instances use [CodeBuild provisioning](ag-works-prov-methods.md#ag-works-prov-methods-codebuild). To learn more about the AWS Proton environment roles, see [IAM Roles](ag-environment-roles.md). When you [create an environment](ag-create-env.md), you can use the AWS Proton console to choose an existing role for either of these two roles, or to create a role with administrative privileges for you.
Similarly, create AWS Proton *pipeline roles* to allow AWS Proton to make API calls to other services on your behalf to provision a CI/CD pipeline for you. To learn more about the AWS Proton pipeline roles, see [AWS Proton pipeline service roles](security_iam_service-role-policy-examples.md#codepipeline-proton-svc-role). For more information about configuring CI/CD settings, see [Setting up account CI/CD pipeline settings](setting-up-for-service.md#setting-up-pr-pipelines).
**Note**
Because we don't know which resources you will define in your AWS Proton templates, the roles that you create using the console have broad permissions and can be used as both the AWS Proton pipeline service roles and the AWS Proton service roles. For production deployments, we recommend that you scope down the permissions to the specific resources that will be deployed by creating customized policies for both the AWS Proton pipeline service roles and the AWS Proton environment service roles. You can create and customize these roles by using the AWS CLI or IAM. For more information, see [Service roles for AWS Proton](security_iam_service-with-iam.md#security_iam_service-with-iam-roles-service) and [Create a service](ag-create-svc.md).
# Setting up with AWS Proton
If you want to use the AWS CLI to run AWS Proton APIs, verify that you have installed it. If you haven’t installed it, see [Setting up the AWS CLI](#ag-setting-up-cli).
**AWS Proton specific configuration:**
+ **To create and manage templates:**
+ If you're using [template sync configurations](ag-template-sync-configs.md), set up an [AWS CodeStar connection](#setting-up-vcontrol).
+ Otherwise, set up an [Amazon S3 bucket.](#setting-up-bucket)
+ **To provision infrastructure:**
+ For [self-managed provisioning](ag-works-prov-methods.md#ag-works-prov-methods-self), you must set up an [AWS CodeStar connection](#setting-up-vcontrol).
+ **(Optional) To provision pipelines:**
+ For [AWS-managed provisioning](ag-works-prov-methods.md#ag-works-prov-methods-direct) and [CodeBuild-based provisioning](ag-works-prov-methods.md#ag-works-prov-methods-codebuild), set up [pipeline roles](#setting-up-pr-role).
+ For [self-managed provisioning](ag-works-prov-methods.md#ag-works-prov-methods-self), set up a [pipeline repository](#setting-up-pr-repo).
For more information about provisioning methods, see [How AWS-managed provisioning works](ag-works-prov-methods.md#ag-works-prov-methods-direct).
## Setting up an Amazon S3 bucket
To set up an S3 bucket, follow the instructions at [Create your first S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html) to set up an S3 bucket. Place your inputs to AWS Proton in the bucket where AWS Proton can retrieve them. These inputs are known as template bundles. You can learn more about them in other sections of this guide.
## Setting up an AWS CodeStar connection
To connect AWS Proton to a repository, you create an AWS CodeStar connection that activates a pipeline when a new commit is made on a third-party source code repository.
**AWS Proton uses the connection to:**
+ Activate a service pipeline when a new commit is made on your repository source code.
+ Make a pull request on an infrastructure as code repository.
+ Create a new template minor or major version whenever a commit is pushed to a template repository that changes one of your templates, if the version doesn’t already exist.
You can connect to Bitbucket, GitHub, GitHub Enterprise and GitHub Enterprise Server repositories with CodeConnections. For more information, see [CodeConnections](https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-CodestarConnectionSource.html) in the *AWS CodePipeline User Guide*.
**To set up a CodeStar connection.**
1. Open the [AWS Proton console](https://console.aws.amazon.com//proton/).
1. In the navigation pane, select **Settings** and then **Repository connections** to take you to the **Connections** page in **Developer Tools** **Settings**. The page displays a list of connections.
1. Choose **Create connection** and follow the instructions.
## Setting up account CI/CD pipeline settings
AWS Proton can provision CI/CD pipelines for deploying application code into your service instances. The AWS Proton settings you need for pipeline provisioning depend on the provisioning method you choose for your pipeline.
### AWS-managed and CodeBuild-based provisioning—set up pipeline roles
With [AWS-managed provisioning](ag-works-prov-methods.md#ag-works-prov-methods-direct) and [CodeBuild provisioning](ag-works-prov-methods.md#ag-works-prov-methods-codebuild), AWS Proton provisions pipelines for you. Therefore, AWS Proton needs a service role that provides permissions for provisioning pipelines. Each one of these two provisioning methods uses its own service role. These roles are shared across all AWS Proton service pipelines and you configure them once in your account settings.
**To create pipeline service roles using the console**
1. Open the [AWS Proton console](https://console.aws.amazon.com//proton/).
1. In the navigation pane, choose **Settings**, and then choose **Account settings**.
1. In the **Account CI/CD settings** page, choose **Configure**.
1. Do one of the following:
+ **To have AWS Proton create a pipeline service role for you**
[To enable AWS-managed provisioning of pipelines] In the **Configure account settings** page, in the **AWS-managed provisioning pipeline role** section:
1. Select **New service role**.
1. Enter a name for the role, for example, **myProtonPipelineServiceRole**.
1. Check the check box to agree to create an AWS Proton role with administrative privileges in your account.
[To enable CodeBuild-based provisioning of pipelines] In the **Configure account settings** page, in the **CodeBuild pipeline role** section, choose **Existing service role**, and choose the service role that you created in the **CloudFormation pipeline role** section. Or, if you did not assign a CloudFormation pipeline role, repeat the previous three steps to create a new service role.
+ **To choose existing pipeline service roles**
[To enable AWS-managed provisioning of pipelines] In the **Configure account settings** page, in the **AWS-managed provisioning pipeline role** section, choose **Existing service role**, and choose a service role in your AWS account.
[To enable CodeBuild provisioning of pipelines] In the **Configure account settings** page, in the **CodeBuild pipeline provisioning role** section, choose **Existing service role**, and choose a service role in your AWS account.
1. Choose **Save changes**.
Your new pipeline service role is displayed on the **Account settings** page.
### Self-managed provisioning—set up a pipeline repository
With [self-managed provisioning](ag-works-prov-methods.md#ag-works-prov-methods-self), AWS Proton sends a pull request (PR) to a provisioning repository that you have set up, and your automation code is responsible for provisioning pipelines. Therefore, AWS Proton doesn't need a service role to provision pipelines. Instead, it needs a registered provisioning repository. Your automation code in the repository has to assume an appropriate role that provides permissions for provisioning pipelines.
**To register a pipeline provisioning repository using the console**
1. Create a CI/CD pipeline provisioning repository if you haven't yet created one. For more information about pipelines in self-managed provisioning, see [How self-managed provisioning works](ag-works-prov-methods.md#ag-works-prov-methods-self).
1. In the navigation pane, choose **Settings**, and then choose **Account settings**.
1. In the **Account CI/CD settings** page, choose **Configure**.
1. In the **Configure account settings** page, in the **CI/CD pipeline repository** section:
1. Select **New repository**, and then choose one of the repository providers.
1. For **CodeStar connection**, choose one of your connections.
**Note**
If you don't yet have a connection to the relevant repository provider account, choose **Add a new CodeStar connection**, complete the connection creation process, and then choose the refresh button next to the **CodeStar connection** menu. You should now be able to choose your new connection in the menu.
1. For **Repository name**, choose your pipeline provisioning repository. The drop-down menu shows the list of repositories in the provider account.
1. For **Branch name**, choose one of the repository branches.
1. Choose **Save changes**.
Your pipeline repository is displayed on the **Account settings** page.
## Setting up the AWS CLI
To use the AWS CLI to make AWS Proton API calls, verify that you have installed the latest version of the AWS CLI. For more information, see [Getting started with the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) in the *AWS Command Line Interface User Guide*. Then, to get started using the AWS CLI with AWS Proton, see [Getting started with the AWS CLI](ag-getting-started-cli.md).