# AWS AppStream connector
{% hint style="warning" %}
This documentation references external sources. Nexthink does not have control over the accuracy of third-party documentation, nor any external updates or changes that might create inconsistencies with the information presented on this page. Please report any errors or inconsistencies to [Nexthink Support](https://support.nexthink.com/).
{% endhint %}
The Nexthink Connector for AWS AppStream retrieves essential information about your AWS AppStream virtual desktop infrastructure (VDI). The connector enriches your Nexthink environment with AWS AppStream data that enhances visibility into VDI health, usage patterns, and configuration drift.
This installation guide is designed to help you securely deploy the connector for AWS. We recommend that your organization’s security team reviews the configuration and installation steps outlined here and adjusts them as needed to align with internal security policies and compliance requirements.
## Device fields
The connector for AWS AppStream enriches the following device virtualization fields:
## Configure connector credentials
To allow Nexthink to export data to your AWS AppStream connector, you must first configure the connector credentials by completing the following steps:
{% stepper %}
{% step %}
Select **Administration** > **Connector credentials** in the main menu.
{% endstep %}
{% step %}
Select **New credential** in the top-right corner of the **Connector credentials** page.
{% endstep %}
{% step %}
Fill in the credential configuration input fields:
* **Name**: The unique name of the credential.
* **Protocol**: Select new `AWS IAM` .
The configuration screen should look as follows:
{% hint style="info" %}
Nexthink generates the **AWS External ID** automatically. You will use it in the next steps to create the AWS Role and retrieve its Amazon Resource Name (ARN). You can then paste this ARN in the **AWS Role ARN** text box.
Nexthink uses the recommended procedure from AWS for third-party access as described in the [Access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) documentation.
{% endhint %}
{% endstep %}
{% step %}
Sign in to AWS and create a IAM role. The following code example shows the minimum level of access required by the Nexthink AWS AppStream connector:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DescribeWorkspacesInfo",
"Effect": "Allow",
"Action": [
"appstream:DescribeStacks",
"appstream:DescribeSessions",
"appstream:DescribeFleets",
"appstream:ListAssociatedFleets"
],
"Resource": "*"
}
]
}
```
{% endstep %}
{% step %}
Create an IAM role that gives Nexthink access.
* **Name**: the role name should start with prefix **“NexthinkConnector-“**.
* **Permissions**: Please add the policy created above.
* **Trusted Policies**: The trust policy must specify the following AWS account number of Nexthink as `Principal`: `884848470805`\
Furthermore, add a `Condition` element to the trust policy that will test whether the `ExternalId` matches the generated external ID provided in the form above. The following code is an example of the trust relationship in the role:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::884848470805:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId":
}
}
}
]
}
```
{% hint style="warning" %}
Replace `` with the AWS External ID field generated in the credential form.
{% endhint %}
{% endstep %}
{% step %}
After creating the role, copy its AWS Role ARN:
{% endstep %}
{% step %}
In Nexthink, on the **Connector credentials** page, edit the AWS Credentials, and insert the ARN in the **AWS Role ARN** text box in **Credential details**, and select **Save**:
{% endstep %}
{% endstepper %}
## Configure the AWS AppStream connector
Ensure you [configured the connector credentials](#configure-connector-credentials), then create a new connector:
1. Go to **Administration** > **Inbound connectors**.
2. Select **New connector** in the top-right corner.
3. Select **AWS AppStream** from the connector list.
The following sections explain how to configure the connector.
### General tab
* **Name**: A meaningful name for the connector. This name appears on the administration page.
* **NQL ID**: A unique identifier for the connector used when referencing the AWS AppStream connector in NQL queries. You can initially modify the suggested NQL ID, but once you save the workflow, you can no longer change it.
* **Description**: A short description of the purpose and behavior of the connector.
#### Connection
* **Credentials:** Select preconfigured credentials from the Connector credentials page. Only AWS IAM is supported.
### Parameters tab
* **Region**: Select the AWS region where AppStream is located. It needs to be a valid AWS region, such as `us-east-1`.
* **Environment name:** A custom-defined field. The enriched virtual devices will have a reference to this environment name in NQL.
## Test results panel
{% hint style="info" %}
The **Test results** panel is available only for supported connectors. Connector availability also depends on your license.
{% endhint %}
Use the **Test results** panel on the right side to run the connector with real data on demand, and inspect responses and errors. The test panel helps with faster debugging and validation during setup, and also with more reliable mappings with less trial and error.
Select the **Run test** button to call the API, and validate the credentials and check connectivity to the targeted endpoint.
Besides basic information, such as the response status code and time, the panel also shows a sample record of the response at the bottom.
In the event of an error, the system displays the API response to aid in diagnosing the issue.
.png?alt=media)
.png?alt=media)
