---
title: AWS
url: https://www.tines.com/docs/credentials/aws/
updated: 2026-03-09T09:42:57+00:00
---

*[tines.com](https://www.tines.com/llms.txt) › [Docs](https://www.tines.com/llms.txt) › [Credentials](https://www.tines.com/llm/docs/credentials.md)*

# AWS

*[View on tines.com](https://www.tines.com/docs/credentials/aws/)*

## Introduction

Using Tines to automate interaction with AWS services requires the use of an AWS credential. When a HTTP Request Action with an AWS mode credential runs, Tines will authorize the request AWS using the [Signature Version 4 Signing Process](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) and include the corresponding headers in the request.

## Creating an AWS credential

### Role-based access

AWS [recommends using roles](https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html#use-roles) for cross account access - e.g. to allow Tines to access resources in your AWS account. To create a Role-based access AWS credential in Tines, you'll also need to create and correctly configure a Role in your AWS account. The following three steps will get you up and running. For more information, see the [AWS tutorial](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html).

Role-based access is not available on self-hosted environments.

#### Step 1: Create your AWS Credential in Tines

Create a new Credential in Tines. Select "Manual creation" then select the "AWS" option. 

![](https://www.datocms-assets.com/55802/1762872251-screenshot-2025-11-11-at-14-40-10.png)

Set the "Authentication type" to "Role-based access" and enter a name (and, optionally, a description). 

![](https://www.datocms-assets.com/55802/1762872328-screenshot-2025-11-11-at-14-42-35.png)

You can also choose whether to use a unique generated external ID or to use a team-scoped static external ID. If a team-scoped static external ID does not already exist then one will be generated.

Once you click "Save credential", you'll be presented with an Account ID and External ID:

![](https://www.datocms-assets.com/55802/1762872388-screenshot-2025-11-11-at-14-46-11.png)

You'll need these values in the next step.

#### Step 2: Create your Role in AWS

From the Identity and Access Management (IAM) section of the AWS console, navigate to "Roles" and click on "Create role":

![](https://www.datocms-assets.com/55802/1656001671-create_a_role_in_aws-1f51c0c0d3c7ee8090ed26b2575cb973.png)

For "Trusted entity type", select "Custom Trust Policy" and copy-paste the following trust policy, giving the two Tines AWS accounts permission to assume this role, using the External ID from step 1.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "857223745291"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "ExternalId"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "825838939522"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "ExternalId"
        }
      }
    }
  ]
}

```

![](https://www.datocms-assets.com/55802/1733936472-screenshot-2024-12-11-at-16-56-11.png)

Complete the "Add permissions" and "Name, review and create" steps to finish creating your Role.

#### Step 3: Add your Role's ARN to your Tines Credential

In the AWS console, open the Role you just created and copy the ARN:

![](https://www.datocms-assets.com/55802/1656001707-copy_role_arn-50b8a0abfcc4a4c592ba3a8eb13d34c3.png)

Paste it into the Role ARN field of your Credential in Tines and click "Save credential":

![](https://www.datocms-assets.com/55802/1762872536-screenshot-2025-11-11-at-14-48-46.png)

### Static External IDs

By default, a new and unique external ID is generated for each AWS credential created. More information on external IDs can be found in the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html). Optionally when creating a role-based access AWS credential you can opt to use a static external ID that is scoped to a team. Each credential in the team that uses this option will have the same external ID. 

![](https://www.datocms-assets.com/55802/1762872942-screenshot-2025-11-11-at-14-42-46.png)

If you need to rotate a static external ID you can use the [destroy static external ID API endpoint](https://www.tines.com/api/teams/destroy_static_external_id/) which will delete the current static external ID for that team. A new one can be generated by creating a new AWS credential that uses the static external ID option. Previously created credentials are not affected.

### Key-based access

> **IMPORTANT:** AWS [discourages the use of long-term access keys](https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html#use-roles) in 3rd party tools. Please consider using a role-based access AWS credential instead.

Enter the following information in the AWS New Credential page:

- Credential name: Your desired AWS credential name.
- Access key: The `access key` from your [AWS Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html).
- Access secret: The `access secret` from your [AWS Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html).

If you want to [assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) before performing the action, you can set values for the following fields.

- Assumed Role ARN: The ARN of the role you wish to assume, e.g.: `arn:aws:iam::123456789012:role/write-access-role`

Tines will request a session with the minimum duration (15 minutes).

### Bedrock API key

To authenticate with AWS Bedrock using an API key, select `Bedrock API key` as the authentication type.

Enter the following information in the AWS New Credential page

-  Credential name: Your desired AWS credential name.
- API key: Your Bedrock API key.

This will be used for bearer token authentication.

For more details on Bedrock API keys, see the [AWS documentation](https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys.html)

## Using an AWS credential with a HTTP Request Action

To use an AWS credential with a HTTP Request action, include a [`CREDENTIAL` formula expression](https://www.tines.com/docs/formulas/referencing-data#from-credentials) in the action's `Authorization` header.

## Sample AWS HTTP Request Actions

### Scan a DynamoDB Table

```json
{
  "url": "https://dynamodb.eu-west-1.amazonaws.com",
  "method": "post",
  "content_type": "json",
  "payload": {
    "TableName": "TestTable",
    "AttributesToGet": ["Id"]
  },
  "headers": {
    "Authorization": "<<CREDENTIAL.aws_dynamo_db>>",
    "X-Amz-Target": "DynamoDB_20120810.Scan"
  }
}
```

### List Cloudtrails

```json
{
  "url": "https://cloudtrail.us-east-1.amazonaws.com",
  "method": "get",
  "content_type": "form",
  "payload": {
    "Action": "DescribeTrails",
    "Version": "2013-11-01"
  },
  "headers": {
    "Authorization": "<<CREDENTIAL.aws_cloudtrail>>"
  }
}
```

### List IAM Users

```json
{
  "url": "https://iam.amazonaws.com",
  "content_type": "form",
  "method": "get",
  "payload": {
    "Action": "ListUsers",
    "Version": "2010-05-08"
  },
  "headers": {
    "Authorization": "<<CREDENTIAL.aws_iam>>"
  }
}
```