# Setting up authentication

## Overview

All supported third-party services require some form of authentication to accept Fuse's external requests. In Fuse, this authentication information is used to create the integrations (see [Add an Integration (Admin)](/fuse/my-account/admin-options.md#add-an-integration-admin) for more) that the Integration modules use to access your solutions.

This page describes how to set up authentication for all Fuse-supported third-party services.

{% hint style="info" %}
**NOTE:** The following assumes that you have already created an appropriate account and working solution on one of Fuse's supported third-party services.
{% endhint %}

## Authentication setup guides

### Google Dialogflow

#### What you need to set up:

1. A service account.
2. A service account key.

#### Setup steps:

See the guided steps in the expandable box below.

<details>

<summary>(Click to expand) Creating a service account and service account key.</summary>

### Start

Log into your Google Cloud account and follow the steps below.

### Step 1: Create a service account

**Source:** [Create a service account and download the private key file](https://cloud.google.com/dialogflow/es/docs/quick/setup#sa-create) \
(Google documentation)

1. In the console, go to the [**Create service account**](https://console.cloud.google.com/projectselector/iam-admin/serviceaccounts/create?supportedpurview=project) page.
2. Select your project.
3. In the **Service account name** field, enter a name. The console fills in the **Service account ID** field based on this name.
   * In the **Service account description** field, enter a description. For example, `Service account for quickstart`.
4. Click **Create and continue**.
5. To provide access to your project, grant the following role(s) to your service account: **Project > Owner**.
   * In the **Select a role** list, select a role.
   * For additional roles, click add **Add another role** and add each additional role.
   * **Note**: The **Role** field affects which resources your service account can access in your project. You can revoke these roles or grant additional roles later. In production environments, do not grant the Owner, Editor, or Viewer roles. Instead, grant a [predefined role](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles) or [custom role](https://cloud.google.com/iam/docs/understanding-custom-roles) that meets your needs.
6. Click **Continue**.
7. Click **Done** to finish creating the service account.
   * Do not close your browser window. You will use it in the next step.

### Step 2: Create a service account key

**Source:** [Create a service account key, **Console** tab steps](https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating) (Google documentation)

1. In the console, go to the [**Service accounts**](https://console.cloud.google.com/iam-admin/serviceaccounts) page.
2. Select a project.
3. On the **Service accounts** page, click the email address of the service account that you want to create a key for.
4. Click the **Keys** tab.
5. Click the **Add key** drop-down menu, then select **Create new key**.
6. Select **JSON** as the **Key type** and click **Create**.
   * Clicking **Create** downloads a service account key file. After you download the key file, you cannot download it again.
   * The downloaded key has the following format, where `PRIVATE_KEY` is the private portion of the public/private key pair:

{% code title="Service account key format:" lineNumbers="true" %}

```json
{
  "type": "service_account",
  "project_id": "PROJECT_ID",
  "private_key_id": "KEY_ID",
  "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
  "client_email": "SERVICE_ACCOUNT_EMAIL",
  "client_id": "CLIENT_ID",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
}
```

{% endcode %}

## Done!

You now have all of the necessary authentication set up for Dialogflow integrations.

</details>

#### All done?

You will use your service account key's JSON in Fuse when creating an integration for your Dialogflow agent. See [Add an Integration (Admin)](/fuse/my-account/admin-options.md#add-an-integration-admin) for more information.

{% hint style="warning" %}
**IMPORTANT!** Keep your service account key in a secure location as with any sensitive authentication information.
{% endhint %}

### Amazon DynamoDB

#### What you need to set up:

* An IAM user configured with&#x20;
  1. programmatic access to AWS.
  2. an IAM policy that permits Fuse to perform all available DynamoDB operations.
  3. An access key ID and secret access key.

#### Setup steps:

See the guided steps in the expandable box below.

<details>

<summary>(Click to expand) Creating an IAM policy, user, and security credentials for DynamoDB. </summary>

## Start

Log into your AWS account and follow the steps below.

## Step 1: Create an IAM policy for DynamoDB

**Source:** [Creating IAM policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html#access_policies_create-json-editor) (AWS documentation)

1. In the provided AWS documentation above, go to the section titled **To use the JSON policy editor to create a policy**. Complete steps 1 through 4.
2. In step 5, paste or enter the [sample IAM policy](#iam-policy-for-amazon-dynamodb) provided in the code block below. Replace the placeholders in line 15 with your information as described in the notes above the code block.
3. Complete the remaining steps as directed. Note the name of this IAM policy for later steps.

You can now move on to applying this policy to an IAM user.

### IAM Policy for Amazon DynamoDB

As of this writing (8/5/22), the sample IAM policy below defines the minimum necessary IAM user permissions needed for Fuse to perform all supported DynamoDB operations.

You can use and adapt this IAM policy for your DynamoDB integrations.

#### Prerequisites

Before using the below IAM policy, replace the placeholders in line 15 with your information as follows:

* `{region}`: Replace with one or more AWS regions where your solution exists.\
  \&#xNAN;*Example:* `us-east-1`
* `{account_id}`: Replace with the one or more account IDs for your AWS accounts with DynamoDB solutions.
* `{table-name}`: Replace with one or more DynamoDB table names.

{% code title="IAM Policy: Amazon DynamoDB" lineNumbers="true" %}

```bash
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FuseDynamoDBIntegration",
            "Effect": "Allow",
            "Action": [
                "dynamodb:DescribeTable",
                "dynamodb:ListTables",
                "dynamodb:PartiQLSelect",
                "dynamodb:PartiQLUpdate",
                "dynamodb:PartiQLInsert"
            ],
            "Resource": [
            	"arn:aws:dynamodb:{region}:{account_id}:table/{table_name}"
            ]
        }
    ]
}
```

{% endcode %}

#### Additional notes

* When entering for `{region}`, `{account_id}`, and `{table-name}` resources:
  * Wildcard(\*) name references are allowed.\
    \&#xNAN;*Example:* `us-east-*` for any US East region in AWS.
  * You can specify multiple resources in comma-delimited format.\
    \&#xNAN;*Example:* `us-east-1,us-east-2,eu-west-1`

## Step 2: Apply the IAM policy to an IAM user

You can apply your IAM policy for DynamoDB to either a new IAM user or an existing one. If you have an existing, separate IAM user available for use with integrations, go to [Add IAM policy to an existing user](#add-iam-policy-to-an-existing-user). Otherwise, begin at [Create a new IAM user](#create-a-new-iam-user) below.

### Create a new IAM user

**Source:** [Creating IAM users (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console) (AWS documentation)

1. In the provided AWS documentation above, go to the section titled **To create one or more IAM users (console)**. Complete steps 1-3.
2. In step 4, select the **Programmatic access** checkbox. Complete steps 4 and 5.
3. In step 6, select the **Attach existing policies directly** option, and select the IAM policy that you created previously in [Step 1: Create an IAM policy for DynamoDB](#step-1-create-an-iam-policy-for-dynamodb).
4. Complete the remaining steps through step 8.

You can now move on to creating an access key and secret key.

### Add IAM policy to an existing user

**Source:** [Adding permissions to a user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) (AWS documentation)

1. In the provided AWS documentation above, go to the section titled **Adding permissions by attaching policies directly to the user**. Complete steps 1-3.
2. In step 4, select the IAM policy that you created previously in  [Step 1: Create an IAM policy for DynamoDB](#step-1-create-an-iam-policy-for-dynamodb).
3. Complete the remaining steps through step 5.

You can now move on to creating an access key and secret key.

## Step 3: Create an access key ID and secret access key for the IAM user

**Source:** [Managing access keys (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey) (AWS documentation)

1. In the provided AWS documentation above, go to the section titled **To create, modify, or delete another IAM user's access keys (console)**. Complete all steps (1-4).&#x20;
2. Keep the access and secret key file in a secure location. Note that the secret access key can only be retrieved when the key is created.

## Done!

You now have all of the necessary authentication set up for Amazon DynamoDB integrations.

</details>

#### All done?

You will use the access key and secret key in Fuse when creating any integration(s) for your DynamoDB table(s). See [Add an Integration (Admin)](/fuse/my-account/admin-options.md#add-an-integration-admin) for more information.

{% hint style="warning" %}
**IMPORTANT!** Keep your access and secret keys in a secure location as with any sensitive authentication information.
{% endhint %}

### AWS S3

#### What you need to set up:

* An IAM user configured with&#x20;
  1. programmatic access to AWS.
  2. an IAM policy that permits Fuse to perform all available S3 operations.
  3. An access key ID and secret access key.

#### Setup steps:

See the guided steps in the expandable box below.

<details>

<summary>(Click to expand) Creating an IAM policy, user, and security credentials for AWS S3. </summary>

## Start

Log into your AWS account and follow the steps below.

## Step 1: Create an IAM policy for S3 access

**Source:** [Creating IAM policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html#access_policies_create-json-editor) (AWS documentation)

1. In the provided AWS documentation above, go to the section titled **To use the JSON policy editor to create a policy**. Complete steps 1 through 4.
2. In step 5, paste or enter the [sample IAM policy](#iam-policy-for-aws-s3) provided in the code block below. Replace the placeholders in lines 13 and 14 with the ARN(s) of your own S3 bucket(s) as described in the notes below.
3. Complete the remaining steps as directed. Note the name of this IAM policy for later steps.

You can now move on to applying this policy to an IAM user.

### IAM Policy for AWS S3

As of this writing (8/5/22), the sample IAM policy below defines the minimum necessary IAM user permissions needed for Fuse to perform all supported S3 operations.

You can use and adapt this IAM policy for your S3 integrations.

#### Prerequisites

Before using the below IAM policy, replace the placeholders in lines 13 and 14 with the ARN(s) of your own S3 bucket(s):

{% code title="IAM Policy: AWS S3" lineNumbers="true" %}

```bash
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FuseIntegrationS3Access0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::fuse*",
                "arn:aws:s3:::fuse*/*"
            ]
        },
        {
            "Sid": "FuseIntegrationS3Access1",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}
```

{% endcode %}

## Step 2: Apply the IAM policy to an IAM user

You can apply your IAM policy for S3 to either a new IAM user or an existing one. If you have an existing, separate IAM user available for use with integrations, go to [Add IAM policy to an existing user](#add-iam-policy-to-an-existing-user-1). Otherwise, begin at [Create a new IAM user](#create-a-new-iam-user-1) below.

### Create a new IAM user

**Source:** [Creating IAM users (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console) (AWS documentation)

1. In the provided AWS documentation above, go to the section titled **To create one or more IAM users (console)**. Complete steps 1-3.
2. In step 4, select the **Programmatic access** checkbox. Complete steps 4 and 5.
3. In step 6, select the **Attach existing policies directly** option, and select the IAM policy that you created previously in [Step 1: Create an IAM policy for S3 access](#step-1-create-an-iam-policy-for-s3-access).
4. Complete the remaining steps through step 8.

You can now move on to creating an access key and secret key.

### Add IAM policy to an existing user

**Source:** [Adding permissions to a user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) (AWS documentation)

1. In the provided AWS documentation above, go to the section titled **Adding permissions by attaching policies directly to the user**. Complete steps 1-3.
2. In step 4, select the IAM policy that you created previously in [Step 1: Create an IAM policy for S3 access](#step-1-create-an-iam-policy-for-s3-access).
3. Complete the remaining steps through step 5.

You can now move on to creating an access key and secret key.

## Step 3: Create an access key ID and secret access key for the IAM user

**Source:** [Managing access keys (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey) (AWS documentation)

1. In the provided AWS documentation above, go to the section titled **To create, modify, or delete another IAM user's access keys (console)**. Complete all steps (1-4).
2. Keep the access and secret key file in a secure location. Note that the secret access key can only be retrieved when the key is created.

## Done!

You now have all of the necessary authentication set up for AWS S3 integrations.

</details>

#### All done?

You will use the access key and secret key in Fuse when creating any integration(s) for your S3 bucket(s). See [Add an Integration (Admin)](/fuse/my-account/admin-options.md#add-an-integration-admin) for more information.

{% hint style="warning" %}
**IMPORTANT!** Keep your access and secret keys in a secure location as with any sensitive authentication information.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.plumvoice.com/fuse/integration/setting-up-authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.