> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to configure Amazon Web Services (AWS) for delegated authentication.

# Configure Amazon Web Services for Delegated Authentication

You can configure Amazon Web Services (AWS) for delegated authentication with Auth0. To learn more, [Configure Amazon Web Services for Single Sign-on](/docs/customize/integrations/aws/configure-amazon-web-services-for-sso) and [Secure AWS API Gateway Endpoints Using Custom Authorizers](/docs/customize/integrations/aws/aws-api-gateway-custom-authorizers).

## Create a SAML provider in AWS

1. Log in to AWS, and go to the [IAM console](https://console.aws.amazon.com/iam). Using the left-hand navigation menu, select **Identity Providers**. Click **Create Provider**. Set the following parameters:

   | Parameter         | Description and Sample Value                                                                                                                                    |
   | ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   | Provider Type     | The type of provider. Set as [`SAML`](/docs/glossary?term=%60SAML%60)                                                                                           |
   | Provider Name     | A descriptive name for the provider, such as `auth0SamlProvider`                                                                                                |
   | Metadata Document | Upload the file containing the Auth0 metadata, found in **Dashboard > Applications > Application Settings > Advanced Settings > Endpoints > SAML Metadata URL** |
2. Click **Next Step**.
3. Verify your settings and click **Create** if everything is correct.

## Create a role for your SAML provider

To use the provider, you must create an IAM role using the provider in the role's trust policy.

1. In the IAM console, go to [Roles](https://console.aws.amazon.com/iam/home#/roles). Click **Create role**. You'll be redirected to the **Trust** page. Indicate **Saml 2.0 federation** under **Select type of trusted entity**. Provide the following values:

   | Parameter     | Value                      |
   | ------------- | -------------------------- |
   | SAML Provider | The name for your new role |
   | Attribute     | `SAML:iss`                 |
   | Value         | `urn:{yourDomain}`         |
2. Click **Next: Permissions** to proceed.
3. You will need to attach permissions policies to your new role. You'll attach a custom policy. To create one, click **Create Policy**.
4. In the **Create policy** editor that launches, switch over to the **JSON** tab. Provide a custom policy.

   ```json lines theme={null}
   {
     "Version": "2012-10-17",
     "Statement": [{
         "Effect": "Allow",
         "Action": [
           "*"
         ],
         "Resource": [
         "arn:aws:s3:::{yourBucket}/<%= '${saml:sub}' %>",
         "arn:aws:s3:::{yourBucket}/<%= '${saml:sub}' %>/*"]
     }]
   }
   ```

   This defines the permissions that users granted this role will have with AWS. Click **Review policy**.
5. Review the policy that you've created. Be sure to provide a **Name** for your policy and (optionally) a **Description**.
6. Click **Create policy** when done. If successful, you'll see the following message confirming the creation of your new policy: "auth0SamlRolePolicy has been created".
7. Returning to the role creation wizard (you should be on step **2 - Permissions**), find the new policy you just create and click its checkbox to attach the policy to your role. We recommend using the **Customer managed** filter to find your policy.
8. Click **Next: Review** to proceed.
9. Review the information about your role, provide a **Role name**, and optionally a **Role description**. You'll see the policy you attached as well. If everything looks correct, click **Create role** to proceed.
10. Once created, you can find your roles located on the primary **Roles** page.

## Copy the ARN Values

The following instructions will show you where you can find the Provider and Role ARN values.

### Provider ARN

In the IAM console, go to [Identity providers](https://console.aws.amazon.com/iam/home#/providers). Select the role in which you're interested to open up its summary page. Copy the **Provider ARN** value, which is listed first under **Summary**.

### Role ARN

In the IAM console, go to [Roles](https://console.aws.amazon.com/iam/home#/roles). Select the role in which you're interested to open up its summary page. Copy the **Role ARN** value, which is listed first under **Summary**.