Set up AWS Connector
- Latest Dynatrace
- How-to guide
- 4-min read
You'll learn how to set up an AWS Connector 
by
- Configuring AWS IAM role.
- Setting up and AWS Connection.
- Adding a host to the Allow-list.
- Granting permissions to Workflows.
After completing this setup, you can start using all the AWS Connector actions in your workflow.
We've introduced Access control for Connectors to enhance the security of AWS connections. This enhancement allows you to configure and share connections in a fine-grained way such that only specific users, groups, or service users can access the AWS connection. On March 31, 2026, legacy connections will be deprecated. This is a breaking change: you need to to migrate any existing connections to the enhanced connection schema.
To migrate your connections, follow the steps in Migrate to the enhanced connection schema for AWS Connector.
Prerequisites
-
Permission to configure an Identity Provider and a role in AWS IAM.
-
The user needs the Dynatrace default policy
AppEngine - Adminto install AWS Connector, add a connection, add a New host pattern in External requests, and authenticate with AWS. In detail, the following permissions are needed:ALLOW app-engine:apps:install;ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:hyperscaler-authentication.aws.connection";ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:dt-javascript-runtime.allowed-outbound-connections";ALLOW hyperscaler-authentication:aws:authenticate;
To use the AWS Connector in a secure way, follow our recommendations in Security best practices for AWS Connector.
Steps
Create an AWS Connection
Create an AWS Connection to authenticate with AWS.
- Go to Settings and select Connections > AWS.
- Select
Connection. A modal containing the form for creating the connection inside the Set up connection tab will open.
Enter the connection details
- In Name, enter a unique name that identifies your connection.
- In Type, Web identity is already selected.
- The Connection ID and Role ARN fields are deactivated in this step.
- Select Create.
After selecting Create, a Connection ID is created. This is visible in the Set up connection tab within the Connection ID text field. You need the Connection ID to configure the trust policy of your IAM role.
Copy the Connection ID and use it in the trust policy as shown in Configure AWS IAM.
Configure AWS IAM
The AWS Connector actions use OpenID Connect (OIDC) to authenticate with AWS, allowing them to access AWS resources. To configure AWS IAM
- Add a new Identity Provider.
- Add an AWS role.
Add a new Identity Provider
Add a new Identity Provider to AWS IAM using Dynatrace OIDC as a federated identity. Therefore, use the following parameters:
| Parameter | Value |
|---|---|
| Identity Provider URL | https://token.dynatrace.com |
| Identity Provider Audience | Has to match the pattern <tenant-domain>/app-id/dynatrace.aws.connector |
For example, the correct audience for the tenant abc12345 would be abc12345.apps.dynatrace.com/app-id/dynatrace.aws.connector.
Add an IAM role
Add a new IAM role to AWS IAM that is assumed when using the AWS connection in the Dynatrace workflow.
- Use the previously created Identity Provider as a trusted entity.
- Attach permission policies to the role or create an inline permission policy containing the required permissions.
Example code for the trust policy:
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Federated": "arn:aws:iam::000000000000:oidc-provider/token.dynatrace.com"},"Action": "sts:AssumeRoleWithWebIdentity","Condition": {"StringEquals": {"token.dynatrace.com:aud": "<your-tenant>/app-id/dynatrace.aws.connector","token.dynatrace.com:sub": "dt:connection-id/<your-connection-id>"}}}]}
We highly recommend adding the condition key "token.dynatrace.com:sub": "dt:connection-id/<your-connection-id>" in your trust policy. This limits which Dynatrace connection is allowed to assume the role.
Replace <your-connection-id> with the ID of your created connection.
We recommend defining your Role with only the necessary permissions. For more information, see Security best practices for AWS Connector.
The AWS Connector actions list AWS regions where the workflow action can operate. The IAM role needs the action account:ListRegions in its policy to list the available regions.
Here is an example of an inline policy:
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "account:ListRegions","Resource": "*"}]}
Link IAM role to the new connection
Once your IAM role is created and its trust policy is configured, copy the Role ARN of your AWS IAM role and paste it into the corresponding Role ARN field in the Set up connection tab.
Select Save to complete the setup.
Add a New host pattern in External requests
External requests enable outbound network connections from your Dynatrace environment to external services. They allow you to control access to public endpoints from the AppEngine with app functions and functions in Dashboards, Notebooks, and Automations.
-
Go to Settings and select General > Environment management, External Requests.
-
Select New host pattern.
-
Add the domain names.
-
Select Add.
This way you can granularly control the web services your functions can connect to.
You need to add the *.amazonaws.com domain name.
For more information, see Add a host to the allowlist.
Grant permissions to Workflows
Some permissions are required by Workflows to run actions on your behalf.
To fine-tune permissions granted to Workflows
- Go to Workflows and select Settings > Authorization settings.
- Select the following permissions besides the general Workflows permission.
hyperscaler-authentication:aws:authenticatesettings:objects:read
For more on general Workflows user permissions, see User permissions for workflows.