Set up AWS Connector

  • Latest Dynatrace
  • How-to guide
  • 4-min read

You'll learn how to set up the AWS Connector AWS Connector by:

  • Configuring an AWS IAM role.
  • Setting up an AWS connection.
  • Adding a host to the allowlist.
  • Granting permissions to Workflows.

After completing this setup, you can start using all the AWS Connector AWS Connector actions in your workflow.

Breaking change: enhanced connection schema

We've introduced Access control for Connectors to enhance the security of AWS connections. This enhancement allows you to configure and share connections in a fine-grained way such that only specific users, groups, or service users can access the AWS connection.

On March 31, 2026, legacy connections will be deprecated. This is a breaking change: you need to migrate any existing connections to the enhanced connection schema.

To migrate your connections, follow the steps in Migrate to the enhanced connection schema for AWS Connector.

Prerequisites

  • Permission to configure an Identity Provider and a role in AWS IAM.

  • The user needs the Dynatrace default policy AppEngine - Admin to install AWS Connector, add a connection, add a New host pattern in External requests, and authenticate with AWS. In detail, the following permissions are needed:

    ALLOW app-engine:apps:install;
    ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:hyperscaler-authentication.aws.connection";
    ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:dt-javascript-runtime.allowed-outbound-connections";
    ALLOW hyperscaler-authentication:aws:authenticate;

To use the AWS Connector securely, follow our recommendations in Security best practices for AWS Connector.

Setup steps

1. Create an AWS connection

Create an AWS connection to authenticate with AWS.

  1. Go to Settings and select Connections > AWS.
  2. Select Add Connection. A modal containing the form for creating the connection will open inside the Set up connection tab.

2. Select the connection consumer

The AWS Connector lets you create connections for two consumers:

  • Workflows for automation Workflows consumes the connection in the context of workflow actions.
  • OpenPipeline for log forwarding OpenPipeline allows log forwarding via IAM cross-account role-based authentication.

Select one of the options.

3. Enter the connection details

Provide the connection details:

  1. In Name, enter a unique name that identifies your connection. The Connection ID and Role ARN fields are present, but their values are not yet visible. They become visible after the connection is generated.

  2. Select Create.

    A Connection ID is generated. The Connection ID is visible in the Set up connection tab within the Connection ID text field. You need the Connection ID to configure the trust policy of your IAM role.

  3. Copy the Connection ID and reference it in the trust policy as shown in Configure AWS IAM.

4. Add an IAM role

The AWS Connector uses OpenID Connect (OIDC) or cross-account role assumption to authenticate with AWS and access resources.

To configure AWS IAM, first add an IAM role, in AWS IAM that is assumed when using the AWS connection. Depending on the consumer you chose in the Select the connection consumer step, you need to define the IAM role accordingly.

Consumer: Workflows for automation Workflows

  1. Set up a trusted entity for Workflows Workflows by selecting Custom trust policy as the trusted entity type.

  2. Add a new Identity Provider to AWS IAM using Dynatrace OIDC as a federated identity. Use the following parameters:

    ParameterValue
    Identity Provider URLhttps://token.dynatrace.com
    Identity Provider AudienceMust match the pattern <tenant-domain>/app-id/dynatrace.aws.connector

    For example, the correct audience for the tenant ID abc12345 would be abc12345.apps.dynatrace.com/app-id/dynatrace.aws.connector.

  3. Use the created Identity Provider as a trusted entity for your IAM role.

    Here is an example of the custom trust policy code below. Replace 000000000000 with your AWS account ID and <your-tenant-domain> / <your-connection-id> accordingly.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Federated": "arn:aws:iam::000000000000:oidc-provider/token.dynatrace.com"
          },
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {
            "StringEquals": {
              "token.dynatrace.com:aud": "<your-tenant-domain>/app-id/dynatrace.aws.connector",
              "token.dynatrace.com:sub": "dt:connection-id/<your-connection-id>"
            }
          }
        }
      ]
    }

    We highly recommend adding the condition key "token.dynatrace.com:sub": "dt:connection-id/<your-connection-id>" in your trust policy. This limits which Dynatrace connection is allowed to assume the role. Replace <your-connection-id> with the ID of your created connection.

Consumer: OpenPipeline for log forwarding

  1. Set up a trusted entity for OpenPipeline by selecting AWS account for the trusted entity type.

  2. Select Another AWS account and specify the account ID 314146291599 and the Connection ID as the External ID.

    Here is an example of the trust policy code below.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::314146291599:root"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
                "sts:ExternalId": "<your-connection-id>"
            }
          }
        }
      ]
    }

5. Attach permission policies

To finish to configure AWS IAM, attach the permission policies.

Attach permission policies to the role or create an inline permission policy containing the required permissions.

We recommend defining your role with only the necessary permissions. For more information, see Security best practices for AWS Connector.

The AWS Connector actions list AWS Regions where the workflow action can operate. The IAM role requires the account:ListRegions action in its policy to list the available Regions.

Here is an example of an inline policy:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "account:ListRegions",
			"Resource": "*"
		}
	]
}

6. Link the IAM role to the new connection

Once your IAM role is created and its trust policy is configured, copy the Role ARN of your AWS IAM role and paste it into the corresponding Role ARN field in the Set up connection tab.

Select Save to complete the setup.

7. Add a New host pattern in External requests

External requests enable outbound network connections from your Dynatrace environment to external services. They allow you to control access to public endpoints from the AppEngine with app functions and functions in Dashboards, Notebooks, and Automations.

  1. Go to Settings Settings > General > External requests.

  2. Select New host pattern.

  3. Add the domain names.

  4. Select Add.

This way you can granularly control the web services your functions can connect to.

You need to add the *.amazonaws.com domain name.

For more information, see Add a host to the allowlist.

8. Grant permissions to Workflows

Workflows require some permissions to run actions on your behalf.

To fine-tune permissions granted to Workflows:

  1. Go to Workflows and select Settings > Authorization settings.
  2. Select the following permissions besides the general Workflows permission.
    • hyperscaler-authentication:aws:authenticate
    • settings:objects:read

For more on general Workflows user permissions, see User permissions for workflows.

Related tags
Software Delivery