# Connecting to LinkedIn
<a name="connecting-to-linkedin"></a>

LinkedIn is a paid marketing tool that offers access to LinkedIn social networks through various sponsored posts and other methods. LinkedIn is a powerful marketing tool for B2B companies to build leads, online recognition, share content, and more.

**Topics**
+ [AWS Glue support for LinkedIn](linkedin-support.md)
+ [Policies containing the API operations for creating and using connections](linkedin-configuring-iam-permissions.md)
+ [Configuring LinkedIn](linkedin-configuring.md)
+ [Configuring LinkedIn connections](linkedin-configuring-connections.md)
+ [Reading from LinkedIn entities](linkedin-reading-from-entities.md)
+ [LinkedIn connection options](linkedin-connection-options.md)
+ [Creating a LinkedIn account](linkedin-create-account.md)
+ [Limitations](linkedin-connector-limitations.md)

# AWS Glue support for LinkedIn
<a name="linkedin-support"></a>

AWS Glue supports LinkedIn as follows:

**Supported as a source?**  
Yes. You can use AWS Glue ETL jobs to query data from LinkedIn.

**Supported as a target?**  
No.

**Supported LinkedIn API versions**  
** 202406 (June 2024) **

# Policies containing the API operations for creating and using connections
<a name="linkedin-configuring-iam-permissions"></a>

The following sample policy describes the required AWS permissions for creating and using connections. If you are creating a new role, create a policy that contains the following: 

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "glue:ListConnectionTypes",
        "glue:DescribeConnectionType",
        "glue:RefreshOAuth2Tokens",
        "glue:ListEntities",
        "glue:DescribeEntity"
      ],
      "Resource": "*"
    }
  ]
}
```

------

If you don't want to use the preceding method, alternatively, use the following managed IAM policies:
+  [ AWSGlueServiceRole ](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole) – Grants access to resources that various AWS Glue processes require to run on your behalf. These resources include AWS Glue, Amazon S3, IAM, CloudWatch Logs, and Amazon EC2. If you follow the naming convention for resources specified in this policy, AWS Glue processes have the required permissions. This policy is typically attached to roles specified when defining crawlers, jobs, and development endpoints. 
+  [ AWSGlueConsoleFullAccess ](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess) – Grants full access to AWS Glue resources when an identity that the policy is attached to uses the AWS Management Console. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the AWS Glue console. 

# Configuring LinkedIn
<a name="linkedin-configuring"></a>

Before you can use AWS Glue to transfer from LinkedIn, you must meet the following requirements:

## Minimum requirements
<a name="linkedin-configuring-min-requirements"></a>
+ You have a LinkedIn account. For more information about creating an account, see [Creating a LinkedIn account](linkedin-create-account.md). 
+ Your LinkedIn account is enabled for API access. 
+ You have created a `OAuth2 API` integration in your LinkedIn account. This integration provides the client credentials that AWS Glue uses to access your data securely when it makes authenticated calls to your account. For more information, see [Creating a LinkedIn account](linkedin-create-account.md).

If you meet these requirements, you’re ready to connect AWS Glue to your LinkedIn account. For typical connections, you don't need do anything else in LinkedIn.

# Configuring LinkedIn connections
<a name="linkedin-configuring-connections"></a>

 LinkedIn supports `AUTHORIZATION_CODE` grant type for OAuth2. 

This grant type is considered “three-legged” `OAuth` as it relies on redirecting users to the third-party authorization server to authenticate the user. Users may opt to create their own connected app in LinkedIn and provide their own client ID and client secret when creating connections through the AWS Glue console. In this scenario, they will still be redirected to LinkedIn to login and authorize AWS Glue to access their resources. 

This grant type results in both a refresh token and an access token. The access token expires 60 days after creation. A new access token can be obtained using the refresh token.

For public LinkedIn documentation on creating a connected app for `Authorization Code OAuth` flow, see [Authorization Code Flow (3-legged OAuth)](https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?toc=%2Flinkedin%2Fmarketing%2Ftoc.json&bc=%2Flinkedin%2Fbreadcrumb%2Ftoc.json&view=li-lms-2024-07&tabs=HTTPS1).

**Configuring a LinkedIn connection**

1.  In AWS Secrets Manager, create a secret with the following details: 
   + For customer managed connected app – Secret should contain the connected app Consumer Secret with `USER_MANAGED_CLIENT_APPLICATION_CLIENT_SECRET` as key. 
   + For AWS Managed connected app – Empty secret or secret with some temporary value.
**Note**  
It is a must to create a secret per connection in AWS Glue.

1. In the AWS Glue Studio, create a connection under **Data Connections** by following the steps below: 

   1. When selecting a **Connection type**, select **LinkedIn**.

   1. Provide the LinkedIn environment.

   1. Select the IAM role for which AWS Glue can assume and has permissions for following actions: 

------
#### [ JSON ]

****  

      ```
      {
        "Version":"2012-10-17",		 	 	 
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "secretsmanager:DescribeSecret",
              "secretsmanager:GetSecretValue",
              "secretsmanager:PutSecretValue",
              "ec2:CreateNetworkInterface",
              "ec2:DescribeNetworkInterfaces",
              "ec2:DeleteNetworkInterface"
            ],
            "Resource": "*"
          }
        ]
      }
      ```

------

   1. Select the `secretName` which you want to use for this connection in AWS Glue to put the tokens. 

   1. Select the **Network options** if you want to use your network. 

1. Grant the IAM role associated with your AWS Glue job permission to read `secretName`. 

# Reading from LinkedIn entities
<a name="linkedin-reading-from-entities"></a>

**Prerequisites** 

A LinkedIn Object you would like to read from. Refer the supported entities table below to check the available entities. 

 **Supported entities** 


| Entity | Can be Filtered | Supports Limit | Supports Order By | Supports Select \$1 | Supports Partitioning | 
| --- | --- | --- | --- | --- | --- | 
| Ad Accounts | Yes | Yes | Yes | Yes | No | 
| Campaigns | Yes | Yes | Yes | Yes | No | 
| Campaign Groups | Yes | Yes | Yes | Yes | No | 
| Creatives | Yes | Yes | Yes | Yes | No | 
| Ad Analytics | Yes | No | No | Yes | No | 
| Ad Analytics All AdAcocunts | Yes | No | No | Yes | No | 
| Ad Analytics All Campaigns | Yes | No | No | Yes | No | 
| Ad Analytics All CampaignGroups | Yes | No | No | Yes | No | 
| Ad Analytics All AdCreatives | Yes | No | No | Yes | No | 
| Share Statistics | Yes | No | No | Yes | No | 
| Page Statistics | Yes | No | No | Yes | No | 
| Follower Statistics | Yes | No | No | Yes | No | 

 **Example** 

```
netsuiteerp_read = glueContext.create_dynamic_frame.from_options(
    connection_type="linkedin",
    connection_options={
        "connectionName": "connectionName",
        "ENTITY_NAME": "adaccounts",
        "API_VERSION": "202406"
    }
)
```


**LinkedIn entity and field details**  

|  **Field Data Type**  |  **Supported Filter Operators**  | 
| --- | --- | 
|  String  |  =  | 
|  DateTime  |  BETWEEN, =  | 
|  Numeric  |  =  | 
|  Boolean  |  =  | 

# LinkedIn connection options
<a name="linkedin-connection-options"></a>

The following are connection options for LinkedIn:
+ `ENTITY_NAME`(String) – (Required) Used for Read/Write. The name of your Object in LinkedIn. For example, adAccounts. 
+ `API_VERSION`(String) – (Required) Used for Read/Write. LinkedIn Rest API version you want to use. The value will be 202406, as LinkedIn currently supports only version 202406.
+ `SELECTED_FIELDS`(List<String>) – Default: empty(SELECT \$1). Used for Read. Columns you want to select for the selected entity. 
+ `FILTER_PREDICATE`(String) – Default: empty. Used for Read. It should be in the Spark SQL format. 
+ `QUERY`(String) – Default: empty. Used for Read. Full Spark SQL query. 

# Creating a LinkedIn account
<a name="linkedin-create-account"></a>

**Creating a LinkedIn App and OAuth credentials**

1. Navigate to your **LinkedIn Developer Network** page and log in with your LinkedIn account credentials. 

1. Navigate to the **My Apps** page and choose **Create Application** to create a new LinkedIn App.

1. Enter the following details into the app registration form:
   + **Company Name** – Select an existing company or create a new company.
   + **Name** – Enter the application name.
   + **Description** – Enter the application description.
   + **Application Logo** – Select an image file as your application logo.
   + **Application Use** – Select the use of your application.
   + **Website URL** – Enter the websiute URL that contains detailed information about your application.
   + **Business Email** – Enter your business email address.
   + **Business Phone** – Enter your business phone number.
   + **LinkedIn API Terms of Use** – Read and agree.

1. Upon completion of the app registration form, choose **Submit**.

   You will be redirected to the **Authentication** page, where the Authentication Keys (Client ID and Client Secret) and other relevant details will be displayed.

1. If your web application requires access to the user's email address from their LinkedIn account, select the `r_emailaddress` permission. Additionally, you can specify Authorized Redirect URLs for your LinkedIn application. 

**Creating a page in LinkedIn account**

1. Navigate to [LinkedIn Developer Products](https://developer.linkedin.com/).

1. At the upper-right corner of the **LinkedIn Developer Products** page, select **My apps**.

1. At the upper-right corner of the **My apps** page, select **Create app**.

1. On the **Create an app** page, enter your app name in the **App name** field.

1. In the **LinkedIn Page** field, enter your company page name or URL.
**Note**  
If you don’t have a LinkedIn Page, you can create one by selecting **Create a new LinkedIn**. 

1. In the **Privacy policy URL** field, enter your privacy policy URL.

1. Choose **Upload a logo** to upload an image that is to be displayed to users when they authorize with your app.

1. In the **Legal agreement** section, select **I have read and agree to these terms**.

1. Choose **Create app**. 

   Your new app will be created and will be available under the **My apps** tab.

**Publishing campaign ads in LinkedIn**

1. Log in to **Campaign Manager**. 

1. Select an existing **Campaign Group**, or choose **Create** to create a new one.

1. Select your objective.

1. Select your group, budget, and schedule.

1. Build your target audience.

1. Select your ad format.

1. Select your budget and schedule.

1. Set up your ad(s).

1. Review and Launch.

# Limitations
<a name="linkedin-connector-limitations"></a>

For the Analytics fields`ad_analytics_all_adAccounts`, `ad_analytics_all_campaigns`, `ad_analytics_all_campaign_groups`, and `ad_analytics_all_adCreatives` a filter is mandatory to retrieve the records.