> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cognite.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Add a service account to a CDF group

> Create a service account in Amazon Cognito and add it as a member to a Cognite Data Fusion (CDF) group.

<Info>
  **Prerequisites**

  Make sure that you have already [registered the Cognite API and the Cognite Data Fusion application](/cdf/access/aws/guides/configure_cdf_cognito) in Amazon Cognito.
</Info>

<a id="create-a-service-account-in-amazon-cognito" />

## Create a service account in Amazon Cognito

<Steps>
  <Step title="Sign in to the Amazon Cognito">
    Sign in to the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home) as an admin. If prompted, enter your AWS credentials.
  </Step>

  <Step title="Select a user pool">
    Select <span class="ui-element">User Pools</span> and select an existing user pool from the list, or create a user pool.
  </Step>

  <Step title="Select App integration">
    Select the **App integration** tab.
  </Step>

  <Step title="Create an app client">
    1. Under **App client list**, select <span class="ui-element">Create app client</span>.

    2. Under **App type**, select **Confidential client**.

    3. Enter an **App client name**.

    4. Under **Client secret**, select **Generate a client secret**.

    5. Under **Authentication flow**, select **ALLOW\_REFRESH\_TOKEN\_AUTH**.  Keep the default settings for the remaining fields under **Authentication flows**.

    6. Under **Hosted UI settings**, set **Allowed callback URLs** to *[https://cognitedata.com](https://cognitedata.com)*.

    7. In **Identity providers**, select **Cognito user pool**.

    8. In **OAuth 2.0 grant types**, select **Client credentials**.

    9. In **Custom scopes**, select **[https://cognitedata.com/user\_impersonation](https://cognitedata.com/user_impersonation)** and **https\://\{\{cluster}}.cognitedata.com**.

    10. At the bottom of the page, select **Create app client**.
  </Step>

  <Step title="Copy the Client ID">
    Copy and make a note of the **Client ID**. You'll use this name to add the service account as a [member to a CDF group](#add-a-service-account-to-a-new-cdf-group).
  </Step>
</Steps>

<a id="add-a-service-account-to-a-new-cdf-group" />

## Add a service account to a new CDF group

To add an Amazon Cognito service account to a new group in Cognite Data Fusion:

<Steps>
  <Step title="Sign in to Cognite Data Fusion">
    Sign in to [Cognite Data Fusion](https://fusion.cognite.com) as an admin.
  </Step>

  <Step title="Create a group">
    Select the **Admin** workspace, and then select **Groups** > **Create group**.
  </Step>

  <Step title="Configure the group">
    1. Enter a **Unique name** for the group and **Add capabilities**.
    2. Under **Members**, select **Externally managed**.
    3. In the **Source ID** field, enter the **Client ID** you copied from Amazon Cognito in the previous section.
  </Step>

  <Step title="Create the group">
    Select **Create**.
  </Step>
</Steps>
