# AWS Console

This article outlines the integration with the AWS Console connector, enabling metadata management through features such as crawling, querying, and data preview. It also ensures secure authentication via Credential Manager.

<figure><img src="/files/WnGVHsOPcEBF1nwnIOIK" alt=""><figcaption></figcaption></figure>

## Overview

### Connector Details

| Connector Category                                                              | Application             |
| ------------------------------------------------------------------------------- | ----------------------- |
| OvalEdge Releases Supported                                                     | 8.1                     |
| <p>Connectivity</p><p>\[How the connection is established with AWS Console]</p> | AWS SDK                 |
| Verified AWS Console Version                                                    | AWS APIs (STS, EC2, S3) |

{% hint style="info" %}
The AWS Console connector has been validated with the mentioned "Verified AWS Console Versions" and is expected to be compatible with other supported AWS Console versions. If there are any issues with validation or metadata crawling, please submit a support ticket for investigation and feedback.
{% endhint %}

#### Connector Features

| Feature                                      | Availability |
| -------------------------------------------- | :----------: |
| Crawling                                     |       ✅      |
| Delta Crawling                               |       ❌      |
| Profiling                                    |       ❌      |
| Query Sheet                                  |       ❌      |
| Data Preview                                 |       ✅      |
| Auto Lineage                                 |       ❌      |
| Manual Lineage                               |       ❌      |
| Secure Authentication via Credential Manager |       ✅      |
| Data Quality                                 |       ❌      |
| DAM (Data Access Management)                 |       ❌      |
| Bridge                                       |       ✅      |

#### Metadata Mapping

The following objects are crawled from the AWS Console and mapped to the corresponding UI assets.

<table><thead><tr><th width="168.199951171875">AWS Console Object</th><th width="144.79998779296875">AWS Console Attribute</th><th width="173">OvalEdge Attribute</th><th width="173.4000244140625">OvalEdge Category</th><th width="161.5999755859375">OvalEdge Type</th></tr></thead><tbody><tr><td>Region</td><td>Region Name</td><td>Region Identifier </td><td>Container</td><td>Container</td></tr><tr><td>EC2 instance</td><td>Instance ID</td><td>Instance ID</td><td>Table / Entity</td><td>Entity</td></tr><tr><td>S3 bucket</td><td>Bucket Name</td><td>Bucket Name</td><td>File Folder</td><td>File Folder</td></tr></tbody></table>

### Set up a Connection

#### Prerequisites

The following are the prerequisites to establish a connection:

**Network and API access**

The connector calls AWS over HTTPS. Ensure that outbound TCP port 443 (TLS) from the OvalEdge application environment to AWS service endpoints is allowed. If you use an HTTP proxy, it must permit HTTPS access to AWS. Connectivity uses AWS regional and global endpoints.

{% hint style="warning" %}
Restrictive firewalls, TLS inspection appliances, or proxy rules that block or alter traffic to AWS APIs can cause connection validation or crawl failures. Ensure HTTPS access is allowed to AWS STS, EC2, and S3 endpoints for your region.&#x20;
{% endhint %}

**Service Account User Permissions**

{% hint style="warning" %}
It is recommended to use a separate service account to establish the connection to the data source, configured with the following minimum set of permissions.
{% endhint %}

{% hint style="info" %}
👨‍💻 Who can provide these permissions? These permissions are typically granted by the AWS Console administrator, as users may not have the required access to assign them independently.
{% endhint %}

<table><thead><tr><th width="216.20001220703125">Operation</th><th width="225.5999755859375">Objects</th><th width="201.60009765625">API/Scopes</th><th width="204.4000244140625">Access Permission</th></tr></thead><tbody><tr><td>Connection Validation</td><td>Caller Identity</td><td>sts:GetCallerIdentity</td><td>IAM policy allowing sts:GetCallerIdentity</td></tr><tr><td>Crawling &#x26; Regions</td><td>Enabled Regions</td><td>ec2:DescribeRegions</td><td>IAM policy allowing ec2:DescribeRegions</td></tr><tr><td>Crawling &#x26; Query - EC2</td><td>Instances in a Region</td><td>ec2:DescribeInstances</td><td>IAM policy allowing ec2:DescribeInstances</td></tr><tr><td>Crawling &#x26; Query - S3</td><td>Buckets in the account</td><td>s3:ListAllMyBucket</td><td>IAM policy allowing s3:ListAllMyBuckets</td></tr></tbody></table>

{% hint style="warning" %}
Organization’s security policy may require additional resource constraints (ARNs). The connector makes read-only inventory calls. It does not start or stop instances or modify buckets unless the product configuration changes in the future.
{% endhint %}

#### Connection Configuration Steps

{% hint style="warning" %}
Users are required to have the Connector Creator role in order to configure a new connection.
{% endhint %}

1. Log in to OvalEdge, go to **Administration > Connectors**, click **+ (New Connector),** search for **AWS Console**, and complete the required parameters.

{% hint style="info" %}
Fields marked with an asterisk (\*) are mandatory for establishing a connection.
{% endhint %}

<table><thead><tr><th width="220.39996337890625">Field Name</th><th>Description</th></tr></thead><tbody><tr><td>Connector Type</td><td>By default, "<strong>AWS Console</strong>" is displayed as the selected connector type.</td></tr><tr><td>Credential Manager*</td><td><p>Select the desired credentials manager from the drop-down list. Relevant parameters will be displayed based on your selection.</p><p>Supported Credential Managers:</p><ul><li>OE Credential Manager</li><li>AWS Secrets Manager</li><li>HashiCorp Vault</li><li>Azure Key Vault</li></ul></td></tr><tr><td>Connector Name*</td><td><p>Enter a unique name for the AWS Console connection              </p><p>(<strong>Example</strong>: "AWS_Console").</p></td></tr><tr><td>Connector description</td><td>Enter a brief description of the connector.</td></tr><tr><td>Access Key ID*</td><td>Enter the AWS IAM access key ID for the integration user or role.</td></tr><tr><td>Secret Access Key*</td><td>Enter the AWS IAM secret access key (masked).</td></tr><tr><td>Region</td><td>Enter the AWS Region (for example, us-xxx-1). If not provided, us-east-1 is used by default.</td></tr></tbody></table>

<table data-header-hidden><thead><tr><th width="220.036376953125"></th><th></th></tr></thead><tbody><tr><td><strong>Default Governance Roles</strong></td><td></td></tr><tr><td>Default Governance Roles*</td><td>Select the appropriate users or teams for each governance role from the drop-down list. All users and teams configured in OvalEdge Security are displayed for selection.</td></tr><tr><td><strong>Admin Roles</strong></td><td></td></tr><tr><td>Admin Roles*</td><td>Select one or more users from the dropdown list for Integration Admin and Security &#x26; Governance Admin. All users configured in OvalEdge Security are available for selection.</td></tr><tr><td><strong>No of Archive Objects</strong></td><td></td></tr><tr><td>No Of Archive Objects*</td><td><p>This shows the number of recent metadata changes to a dataset at the source. By default, it is off. To enable it, toggle the Archive button and specify the number of objects to archive.</p><p>Example: Setting it to 4 retrieves the last four changes, displayed in the 'Version' column of the 'Metadata Changes' module.</p></td></tr><tr><td><strong>Bridge</strong></td><td></td></tr><tr><td>Select Bridge*</td><td><p>If applicable, select the bridge from the drop-down list.</p><p>The drop-down list displays all active bridges configured in OvalEdge. These bridges enable communication between data sources and OvalEdge without altering firewall rules.</p></td></tr></tbody></table>

2. After entering all connection details, the following actions can be performed:
   1. Click **Validate** to verify the connection.
   2. Click **Save** to store the connection for future use.
   3. Click **Save & Configure** to apply additional settings before saving.
3. The saved connection will appear on the Connectors home page.

### Manage Connector Operations

#### Crawl/Profile

{% hint style="warning" %}
To perform crawl operations, users must be assigned the Integration Admin role.
{% endhint %}

The **Crawl/Profile** button allows users to select one or more schemas for **crawling**.&#x20;

1. Navigate to the **Connectors** page and click **Crawl/Profile**.
2. Select the **schemas** to **crawl**.
3. The **Crawl** option is selected by default.&#x20;
4. Click **Run** to collect metadata from the connected source and load it into the OvalEdge **Data Catalog**.
5. After a **successful crawl**, the information appears in the **Data Catalog > Databases/Tables/Reports/Files/APIs** tab.

The **Schedule** checkbox allows automated crawling at defined intervals, from a minute to a year.

1. Click the **Schedule** checkbox to enable the Select **Period drop-down**.
2. Select a **time period** for the operation from the drop-down menu.
3. Click **Schedule** to initiate metadata collection from the connected source.
4. The system will automatically execute the crawl operation at the scheduled time.

#### Other Operations

The **Connectors** page in OvalEdge provides a centralized view of all configured connectors, including their health status.

**Managing connectors includes:**

* **Connectors Health:** Displays the current status of each connector using a **green** icon for active connections and a **red** icon for inactive connections, helping to monitor the connectivity with data sources.
* **Viewing:** Click the **Eye** icon next to the connector name to view connector details, including databases, tables, columns, and codes.

**Nine Dots Menu Options:**

To view, edit, validate, configure, or delete connectors, click on the Nine Dots menu.

* **Edit Connector:** Update and revalidate the data source.
* **Validate Connector:** Check the connection's integrity.
* **Settings:** Modify connector settings.
  * **Crawler:** Configure data extraction.
  * **Access Instructions:** Add notes on how data can be accessed.
  * **Business Glossary Settings:** Manage term associations at the connector level.
* **Delete Connector:** Remove a connector with confirmation.

#### Connectivity Troubleshooting

If incorrect parameters are entered, error messages may appear. Ensure all inputs are accurate to resolve these issues. If issues persist, contact the assigned support team.

<table><thead><tr><th width="92.20001220703125">S.No.</th><th width="270.199951171875">Error Message(s)</th><th>Error Description &#x26; Resolution</th></tr></thead><tbody><tr><td>1</td><td>Invalid connection config</td><td><p><strong>Error Description:</strong> </p><ul><li>Connection details are missing or incomplete.</li></ul><p><strong>Resolution:</strong> </p><ul><li>Enter all required fields, including Access Key ID and Secret Access Key, and save again.</li></ul></td></tr><tr><td>2</td><td>Access Key ID is required.</td><td><p><strong>Error Description:</strong> </p><ul><li>Access Key ID is missing.</li></ul><p><strong>Resolution:</strong> </p><ul><li>Enter a valid Access Key ID.</li></ul></td></tr><tr><td>3</td><td>Secret Access Key is required.</td><td><p><strong>Error Description:</strong> </p><ul><li>Secret Access Key is missing.</li></ul><p><strong>Resolution:</strong> </p><ul><li>Enter a valid Secret Access Key.</li></ul></td></tr><tr><td>4</td><td>AWS credentials validation failed</td><td><p>E<strong>rror Description:</strong> </p><ul><li>AWS could not validate the credentials.</li></ul><p><strong>Resolution:</strong> </p><ul><li>Verify the IAM user status, ensure keys are active, check system time, and confirm network access to AWS over HTTPS. Retry validation.</li></ul></td></tr><tr><td>5</td><td>Invalid token / signature mismatch</td><td><p><strong>Error Description:</strong> </p><ul><li>AWS rejected the request due to authentication failure.</li></ul><p><strong>Resolution:</strong> </p><ul><li>Regenerate the keys if needed, ensure correct values are entered without extra spaces, and verify IAM permissions.</li></ul></td></tr><tr><td>6</td><td>Failed to list AWS regions / objects</td><td><p><strong>Error Description:</strong> </p><ul><li>EC2 or S3 API call failed due to missing permissions.</li></ul><p><strong>Resolution:</strong> </p><ul><li>Update IAM permissions, verify Region configuration, and retry.</li></ul></td></tr></tbody></table>

***

Copyright © 2026, OvalEdge LLC, Peachtree Corners GA USA


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ovaledge.com/release8.1/connectors/connector-repositories/application/aws-console.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.