- Getting started
- Notifications
- Licensing
- Troubleshooting
- Connector Builder
- Act! 365
- ActiveCampaign
- Active Directory - Preview
- Adobe Acrobat Sign
- Adobe PDF Services
- Amazon Bedrock
- Amazon Connect
- Amazon Polly
- Amazon SES
- Amazon Transcribe
- Amazon Web Services
- About the Amazon Web Services connector
- Amazon Web Services authentication
- Anthropic Claude
- Asana
- AWeber
- Azure AI Document Intelligence
- Azure Defender for Cloud
- Azure Maps
- BambooHR
- Box
- Brevo
- Calendly
- Campaign Monitor
- Cisco Webex Teams
- Citrix Hypervisor
- Citrix ShareFile
- Clearbit
- Confluence Cloud
- Constant Contact
- Coupa
- CrewAI – Preview
- Customer.io
- Database Hub - Preview
- Databricks Agent
- Datadog
- DeepSeek
- Deputy
- Discord - Preview
- DocuSign
- Drip
- Dropbox
- Dropbox Business
- Egnyte
- Eventbrite
- Exchangerates
- Exchange Server - Preview
- Expensify
- Facebook
- Freshbooks
- Freshdesk
- Freshsales
- Freshservice
- GetResponse
- GitHub
- Gmail
- Google Cloud Platform
- Google Docs
- Google Drive
- Google Forms - Preview
- Google Maps
- Google Sheets
- Google Speech-to-Text
- Google Text-to-Speech
- Google Tasks - Preview
- Google Vertex
- Google Vision
- Google Workspace
- GoToWebinar
- Greenhouse
- Hootsuite
- HTTP
- HTTP Webhook
- Hubspot CRM
- HubSpot Marketing
- HyperV - Preview
- Icertis
- iContact
- Insightly CRM
- Intercom
- Jina.ai
- Jira
- Keap
- Klaviyo
- LinkedIn
- Mail
- Mailchimp
- Mailgun
- Mailjet
- MailerLite
- Marketo
- Microsoft 365
- Microsoft Azure
- Microsoft Azure Active Directory
- Microsoft Azure AI Foundry
- Microsoft Azure OpenAI
- Microsoft Azure Sentinel
- Microsoft Dynamics 365 CRM
- Microsoft OneDrive & Sharepoint
- Microsoft Outlook 365
- Microsoft Power Automate – Preview
- Microsoft Sentiment
- Microsoft Sentinel Threat Intelligence
- Microsoft Teams
- Microsoft Translator
- Microsoft Vision
- Miro
- NetIQ eDirectory
- Nvidia NIM – Preview
- Okta
- OpenAI
- OpenAI V1 Compliant LLM
- Oracle Eloqua
- Oracle NetSuite
- PagerDuty
- PayPal
- PDFMonkey
- Perplexity
- Pinecone
- Pipedrive
- QuickBooksOnline
- Quip
- Salesforce
- Salesforce AgentForce & Flows – Preview
- Salesforce Marketing Cloud
- SAP BAPI
- SAP Cloud for Customer
- SAP Concur
- SAP OData
- SendGrid
- ServiceNow
- Shopify
- Slack
- SmartRecruiters
- Smartsheet
- Snowflake
- Snowflake Cortex
- Stripe
- Sugar Enterprise
- Sugar Professional
- Sugar Sell
- Sugar Serve
- System Center - Preview
- TangoCard
- Todoist
- Trello
- Twilio
- UiPath Apps - Preview
- UiPath Data Fabric – Preview
- UiPath GenAI Activities
- UiPath Orchestrator
- X (formerly Twitter)
- Xero
- watsonx.ai
- WhatsApp Business
- WooCommerce
- Workable
- Workday
- Workday REST
- VMware ESXi vSphere
- YouTube
- Zendesk
- Zoho Campaigns
- Zoho Desk
- Zoho Mail
- Zoom
- ZoomInfo
Integration Service user guide
Prerequisites
Use the following table to choose an authentication method based on your use case:
| Method | Best for | Limitations |
|---|---|---|
| Access Key | Quick connections and testing with existing IAM credentials | Session token expires (15 minutes to 12 hours); connections must be renewed when the token expires |
| Access key assume role | Robots running on AWS EC2 instances with an attached IAM role | Robot must be deployed on an EC2 instance; session token expires |
| UiPath Managed Cross-Account Assume Role | Production unattended automations without long-term IAM credentials | Requires a UiPath support request; provisioning takes approximately 3.5 weeks |
To create a connection, you need to provide the following credentials:
- For Access Key
authentication method:
- Access key ID (the access key used to connect to Amazon Web Services)
- Secret access key (the secret key used to connect to Amazon Web Services)
- Temporary session token (used to create the AWS client session)
- Region (specifies the AWS Region to connect to)
- For Access key assume
role authentication method:
- Access key ID (the access key used to connect to Amazon Web Services)
- Secret access key (the secret key used to connect to Amazon Web Services)
- IAM role (specifies the name of the IAM role)
- Temporary session token (used to create the AWS client session)
- Region (specifies the AWS Region to connect to)
- For UiPath Managed Cross-Account Assume
Role authentication method:
- IAM role ARN
- External ID
- Region (specifies the AWS Region to connect to)
The Temporary session token is issued by the AWS Security Token Service (STS) and has a limited lifetime (15 minutes to 12 hours by default). When the token expires, the connection fails and must be manually renewed. For automations that run longer than the session token lifetime, consider using the UiPath Managed Cross-Account Assume Role method instead, which does not require session tokens.
Creating an Access key assume role connection
To create an Access key assume role connection, first follow these steps:
The IAM user whose credentials you provide must have the sts:AssumeRole permission for the target role in their own IAM policy.
-
Navigate to AWS console > IAM > Role.
-
Select Create Role.
-
Select Custom Trust Policy.
-
Attach the custom trust policy, as shown in the following code section:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<user ARN>" }, "Action": "sts:AssumeRole" } ] }{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<user ARN>" }, "Action": "sts:AssumeRole" } ] } -
Add the permissions needed to be assigned to the user.
-
Fill all the required details and then select Create.
-
The UiPath Robot running the automation must be deployed in an AWS EC2 instance to which the specified IAM Role is attached, as described here.
Creating a UiPath Managed Cross-Account Assume Role connection
This type of connection uses temporary STS credentials instead of long-term IAM keys to securely access AWS resources (S3, EC2, DynamoDB, Bedrock). You only need to provide minimal inputs and complete a one-time AWS account setup, no IAM access keys or secrets required.
If you want to use this authentication type, you must first raise a request with UiPath support. After you raise the request, it can take around three and a half weeks before you can create a connection using this authentication type.
UiPath will create and manage a different IAM user per customer, guaranteeing that the AWS access will be isolated at the UiPath organisation level.
Role assumption will provide all attached permissions to your role in a tenant where this type of connection is established.
To create a connection:
-
Provide the ARN of the IAM Role that UiPath should assume. This Role ARN will be incorporated into an IAM user's permissions policy. The IAM user is created and managed by UiPath specifically and isolated for each customer.
-
Configure IAM role's trust policy. Update the IAM Role trust policy to allow assumption by UiPath’s IAM user.
-
UiPath will share the ARN of its IAM user created specifically for your customer account.
-
You must add the UiPath IAM user ARN into the Principal element of the role’s trust policy.
-
We require an External ID as an extra safety safeguard in third-party access scenarios and to help prevent the confused deputy problem. This can be any string of your choosing. To configure it, add a condition with
sts:ExternalIdas in the example below. The External Id is passed to UiPath during the actual Integration Service connection creation. Example policy format:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<UiPath IAM user ARN>" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<your External Id>" } } } ] }{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<UiPath IAM user ARN>" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<your External Id>" } } } ] }
-
-
Configure IAM role’s permission policies. For example:
- S3: List/Get/Put on specific buckets.
- Bedrock: InvokeModel, InvokeModelWithResponseStream.
Warning:The IAM role must be granted the minimum set of permissions required for your specific use case. For example, if the use case involves reading objects from an S3 bucket, the role should only have read-only access to that specific bucket. A sample policy for such a use case would look as follows:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::your-bucket-name", "arn:aws:s3:::your-bucket-name/*" ] } ] }{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::your-bucket-name", "arn:aws:s3:::your-bucket-name/*" ] } ] } -
Add the Amazon Web Services connection in Integration Service.
Add the connection
To create a connection to your Amazon Web Services instance, you need to perform the following steps:
-
Select Orchestrator from the product launcher.
-
Select a folder, and then navigate to the Connections tab.
-
Select Add connection.
-
To open the connection creation page, select the connector from the list. You can use the search bar to find the connector.
-
From the Authentication Type field, select one of the three options: Access key, Access key assume role, or UiPath Managed Cross Account Assume Role. By default, Access key is selected.
-
Enter the required credentials for your preferred authentication method. In the AWS service name field, select the AWS service you intend to connect to: s3, ec2, workspaces, or bedrock-runtime.
Note:If you intend to use this connection with Amazon Bedrock (for example, to invoke AI models), you must select bedrock-runtime. Selecting a different service name will cause Bedrock requests to fail.
-
Select Connect.