Overview

Pre-built tooling

Pre-built integrations

Access requirements

Setup guide

Useful links

API gotchas

Pre-built tooling

Pre-built integrations

No pre-built integration yet (time to contribute: <48h)
Not seeing the integration you need? Build your own independently.

Access requirements

Pre-RequisitesStatusComment
Paid dev account✅ Not requiredFree, self-signup for an AWS account.
Paid test account✅ Not requiredFree tier is sufficient for testing.
Partnership✅ Not required
App review✅ Not required
Security audit✅ Not required

Setup guide

AWS offers multiple authentication methods. This guide covers two main approaches:

AWS IAM (Basic Auth)

1

Create an AWS account

If you don’t already have one, sign up for an AWS account.
2

Create an IAM user

  1. Sign in to the AWS Management Console.
  2. Navigate to the IAM service by searching for “IAM” in the search bar.
  3. In the left navigation pane, choose Users, then Create user.
  4. Enter a user name and select Next.
  5. On the permissions page, select Attach policies directly.
  6. Search for and select the policies that grant the necessary permissions for your integration. For example, you might need AmazonS3ReadOnlyAccess for S3 access.
  7. Choose Next, review your choices, and then select Create user.
3

Create access keys

  1. From the list of users, select the user you just created.
  2. Select the Security credentials tab.
  3. Under Access keys, choose Create access key.
  4. Select Application running outside AWS as the use case, then click Next.
  5. (Optional) Add a description tag, then click Create access key.
  6. On the final page, you’ll see your Access key ID and Secret access key. Make sure to download the .csv file or copy these values, as you won’t be able to view the secret access key again.
4

Configure your integration in Nango

When setting up your AWS IAM integration in Nango:
  • Use your Access key ID as the username
  • Use your Secret access key as the password
  • Specify the AWS region in your connection configuration (e.g., us-east-1)
5

Next

Follow the Quickstart.

AWS Cognito (OAuth 2.0)

1

Create an AWS account

If you don’t already have one, sign up for an AWS account.
2

Create a Cognito User Pool

  1. Sign in to the AWS Management Console.
  2. Navigate to the Amazon Cognito service by searching for “Cognito” in the search bar.
  3. Choose User Pools from the left navigation pane.
  4. Select Create user pool.
  5. Choose the authentication providers you want to use. For OAuth integration, select Cognito user pool as the provider.
  6. Configure the security requirements, including password policy and MFA settings.
  7. Configure sign-up experience and required attributes.
  8. Configure message delivery for verification emails and SMS.
  9. Integrate your app by giving it a name and configuring the app client.
  10. Review all settings and create the user pool.
3

Configure the App Client

  1. After creating the user pool, navigate to the App integration tab.
  2. Under App clients and analytics, select Create app client.
  3. Choose Confidential client for server-side applications.
  4. Enter a name for your app client.
  5. Set the Refresh token expiration as needed (default is 30 days).
  6. Under Allowed callback URLs, add https://api.nango.dev/oauth/callback.
  7. Select the OAuth 2.0 grant types you need (typically Authorization code grant).
  8. Under OpenID Connect scopes, select the scopes your application requires.
  9. Choose Create app client.
4

Configure a Domain

  1. Still in the App integration tab, under Domain, choose Actions and then Create custom domain or Create Cognito domain.
  2. For a Cognito domain, enter a domain prefix.
  3. For a custom domain, enter your domain name and upload an SSL certificate.
  4. Choose Create.
5

Configure OAuth Settings

  1. In the App integration tab, under Hosted UI, choose Edit.
  2. Configure the identity providers you want to use.
  3. Set the callback URL to https://api.nango.dev/oauth/callback.
  4. Select the OAuth scopes you need.
  5. Choose Save changes.
6

Obtain Client Credentials

  1. Navigate to the App clients and analytics section.
  2. Select your app client from the list.
  3. Note your Client ID.
  4. Click Show client secret to view and copy your client secret.
7

Configure your integration in Nango

When setting up your AWS Cognito integration in Nango:
  • Use your Client ID and Client Secret
  • For the OAuth authorization URL, use: https://{your-domain}.auth.{region}.amazoncognito.com/oauth2/authorize
  • For the token URL, use: https://{your-domain}.auth.{region}.amazoncognito.com/oauth2/token
  • Replace {your-domain} with your Cognito domain prefix and {region} with your AWS region (e.g., us-east-1)
8

Next

Follow the Quickstart.

Creating a new connection

  • To create a new connection in Nango for AWS IAM, you’ll need an Access Key ID and a Secret Access Key. Use these to set up your connection, with the Access Key ID as the username and the Secret Access Key as the password. For more details on generating these keys, visit Create an access key.
  • With this you can now use your basic auth credentials to sign you requests as follows. For more on how to sign your requests, please vist AWS signature version 4 for API requests
    if ('username' in connection.credentials && 'password' in connection.credentials && 'region' in connection.connection_config) {
        const accessKeyId = connection.credentials['username'];
        const secretAccessKey = connection.credentials['password'];
        const region = connection.connection_config['region'];
        const host = 'iam.amazonaws.com';

        const date = new Date().toISOString().replace(/[:-]|\.\d{3}/g, '');
        const payloadHash = crypto.createHash('sha256').update('').digest('hex');
        const canonicalHeaders = `host:${host}\nx-amz-date:${date}\n`;
        const signedHeaders = 'host;x-amz-date';

        const canonicalRequest = `${method}\n${path}\n${querystring}\n${canonicalHeaders}\n${signedHeaders}\n${payloadHash}`;
        const credentialScope = `${date.substr(0, 8)}/${region}/${service}/aws4_request`;
        const stringToSign = `AWS4-HMAC-SHA256\n${date}\n${credentialScope}\n${crypto.createHash('sha256').update(canonicalRequest).digest('hex')}`;

        const getSignatureKey = (key: string, dateStamp: string, regionName: string, serviceName: string) => {
            const kDate = crypto.createHmac('sha256', `AWS4${key}`).update(dateStamp).digest();
            const kRegion = crypto.createHmac('sha256', kDate).update(regionName).digest();
            const kService = crypto.createHmac('sha256', kRegion).update(serviceName).digest();
            return crypto.createHmac('sha256', kService).update('aws4_request').digest();
        };

        const signingKey = getSignatureKey(secretAccessKey, date.substr(0, 8), region, service);
        const signature = crypto.createHmac('sha256', signingKey).update(stringToSign).digest('hex');

        const authorizationHeader = `AWS4-HMAC-SHA256 Credential=${accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;

        return { authorizationHeader, date };
Need help getting started? Get help in the community.
Contribute useful links by editing this page

Common Scopes

You can find the list of supported scopes in scopes documentation

API gotchas

None yet, add yours!
Contribute API gotchas by editing this page