# Setting up AWS AppConfig
<a name="setting-up-appconfig"></a>

If you haven't already done so, sign up for an AWS account and create an administrative user.

## Sign up for an AWS account
<a name="sign-up-for-aws"></a>

To get started with AWS, you need an AWS account. For information about creating an AWS account, see [Getting started with an AWS account](https://docs.aws.amazon.com//accounts/latest/reference/getting-started.html) in the *AWS Account Management Reference Guide*.

## Grant programmatic access
<a name="setting-up-appconfig-programmatic-access"></a>

Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS.

To grant users programmatic access, choose one of the following options.


****  

| Which user needs programmatic access? | To | By | 
| --- | --- | --- | 
| IAM | (Recommended) Use console credentials as temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use.[See the AWS documentation website for more details](http://docs.aws.amazon.com/appconfig/latest/userguide/setting-up-appconfig.html) | 
| Workforce identity<br />(Users managed in IAM Identity Center) | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use.[See the AWS documentation website for more details](http://docs.aws.amazon.com/appconfig/latest/userguide/setting-up-appconfig.html) | 
| IAM | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions in [Using temporary credentials with AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the IAM User Guide. | 
| IAM | (Not recommended)Use long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use.[See the AWS documentation website for more details](http://docs.aws.amazon.com/appconfig/latest/userguide/setting-up-appconfig.html) | 

## Configure permissions for automatic rollback
<a name="getting-started-with-appconfig-cloudwatch-alarms-permissions"></a>

You can configure AWS AppConfig to roll back to a previous version of a configuration in response to one or more Amazon CloudWatch alarms. When you configure a deployment to respond to CloudWatch alarms, you specify an AWS Identity and Access Management (IAM) role. AWS AppConfig requires this role so that it can monitor CloudWatch alarms. This procedure is optional, but highly recommended.

**Note**  
Note the following information.  
The IAM role must belong to the current account. By default, AWS AppConfig can only monitor alarms owned by the current account.
For information about metrics to monitor and how to configure AWS AppConfig for automatic rollback, see [Monitoring deployments for automatic rollback](monitoring-deployments.md).

Use the following procedures to create an IAM role that enables AWS AppConfig to rollback based on CloudWatch alarms. This section includes the following procedures.

1. [Step 1: Create the permission policy for rollback based on CloudWatch alarms](#getting-started-with-appconfig-cloudwatch-alarms-permissions-policy)

1. [Step 2: Create the IAM role for rollback based on CloudWatch alarms](#getting-started-with-appconfig-cloudwatch-alarms-permissions-role)

1. [Step 3: Add a trust relationship](#getting-started-with-appconfig-cloudwatch-alarms-permissions-trust)

### Step 1: Create the permission policy for rollback based on CloudWatch alarms
<a name="getting-started-with-appconfig-cloudwatch-alarms-permissions-policy"></a>

Use the following procedure to create an IAM policy that gives AWS AppConfig permission to call the `DescribeAlarms` API action. 

**To create an IAM permission policy for rollback based on CloudWatch alarms**

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane, choose **Policies**, and then choose **Create policy**.

1. On the **Create policy** page, choose the **JSON** tab.

1. Replace the default content on the JSON tab with the following permission policy, and then choose **Next: Tags**.
**Note**  
To return information about CloudWatch composite alarms, the [DescribeAlarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DescribeAlarms.html) API operation must be assigned `*` permissions, as shown here. You can't return information about composite alarms if `DescribeAlarms` has a narrower scope.

------
#### [ JSON ]

****  

   ```
   {
           "Version":"2012-10-17",		 	 	 
           "Statement": [
               {
                   "Effect": "Allow",
                   "Action": [
                       "cloudwatch:DescribeAlarms"
                   ],
                   "Resource": "*"
               }
           ]
       }
   ```

------

1. Enter tags for this role, and then choose **Next: Review**.

1. On the **Review** page, enter **SSMCloudWatchAlarmDiscoveryPolicy** in the **Name** field. 

1. Choose **Create policy**. The system returns you to the **Policies** page.

### Step 2: Create the IAM role for rollback based on CloudWatch alarms
<a name="getting-started-with-appconfig-cloudwatch-alarms-permissions-role"></a>

Use the following procedure to create an IAM role and assign the policy you created in the previous procedure to it. 

**To create an IAM role for rollback based on CloudWatch alarms**

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane, choose **Roles**, and then choose **Create role**.

1. Under **Select type of trusted entity**, choose **AWS service**.

1. Immediately under **Choose the service that will use this role**, choose **EC2: Allows EC2 instances to call AWS services on your behalf**, and then choose **Next: Permissions**.

1. On the **Attached permissions policy** page, search for **SSMCloudWatchAlarmDiscoveryPolicy**. 

1. Choose this policy and then choose **Next: Tags**.

1. Enter tags for this role, and then choose **Next: Review**.

1. On the **Create role** page, enter **SSMCloudWatchAlarmDiscoveryRole** in the **Role name** field, and then choose **Create role**.

1. On the **Roles** page, choose the role you just created. The **Summary** page opens. 

### Step 3: Add a trust relationship
<a name="getting-started-with-appconfig-cloudwatch-alarms-permissions-trust"></a>

Use the following procedure to configure the role you just created to trust AWS AppConfig.

**To add a trust relationship for AWS AppConfig**

1. In the **Summary** page for the role you just created, choose the **Trust Relationships** tab, and then choose **Edit Trust Relationship**.

1. Edit the policy to include only "`appconfig.amazonaws.com`", as shown in the following example:

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "Service": "appconfig.amazonaws.com"
         },
         "Action": "sts:AssumeRole"
       }
     ]
   }
   ```

------

1. Choose **Update Trust Policy**.