Some Workflow Actions use a type of integration called Workflow Integrations to connect to Incident Workflows. Workflow Integrations support authentication via API keys and/or OAuth and are designed for incident response teams and administrators to securely and easily connect PagerDuty to external tools. This feature simplifies automation, enhances security, and streamlines Incident Workflows, enabling faster resolutions and improved efficiency.

Workflow Integrations are supported with the following tools:

• AWS
• Azure Functions
• Confluence
• Datadog
• GitHub
• Logz.io
• Jeli
• Microsoft Entra ID (Azure AD)
• PagerDuty Runbook Automation
• Slack Bot Integration
• Web API

🚧

Required User Permissions

Users with the following base roles can add, update, and delete Workflow Integration connections:

• Manager
• Admin
• Account Owner

Create a Workflow Integration

Workflow Integrations securely store connection credentials.

1. In the PagerDuty web app, navigate to Integrations Workflow Integrations.
2. Click Add Connection to the right of your preferred tool.

3. Expand the section below that corresponds to your preferred technology, and enter the requested information:

   1. AWS

      AWS

      Overview

      This section guides you through configuring an AWS connection for PagerDuty Incident Workflows by assuming an AWS Identity and Access Management (IAM) role along with an external ID. This secure, credential-less authentication method allows PagerDuty to access your AWS resources without requiring long-lived access keys.

      Prerequisites

      • AWS account with permissions to create IAM roles and policies.
      • PagerDuty account with Admin or Global Managers permissions.
      • Basic familiarity with AWS IAM concepts.

      Architecture

      The integration uses AWS IAM role assumption with these key components:

      Component	Description
      Trust Relationship	Allows PagerDuty's AWS account to assume a role in your account.
      External ID	Provides additional security against the confused deputy problem.
      IAM Role	Defines what permissions PagerDuty has in your AWS environment.
      Role ARN	The unique identifier for the role that PagerDuty will assume.

      Step 1: Initiate Connection Setup in PagerDuty

      1. Navigate to Automation Incident Workflows Workflow Integrations in PagerDuty.
      2. For AWS, click Add Connection. The "Add AWS Connection" modal appears with the following information:
         • Account ID: PagerDuty's AWS account
         • External ID: A unique identifier (e.g., da399432e33cd15616a59a08f523ac65)

      Step 2: Create an IAM Role in AWS

      Step 2.1: Open IAM Console

      1. Sign in to the AWS Management Console.
      2. Navigate to IAM (Identity and Access Management).
      3. Select Roles from the left navigation.
      4. Click Create role.

      Step 2.2: Configure Trust Relationship

      1. Select AWS account as the trusted entity type.
      2. Choose Another AWS account.
      3. Enter the Account ID copied from PagerDuty.
      4. Select the Require external ID checkbox.
      5. Enter the External ID copied from PagerDuty.
      6. Click Next.

      Example Trust Policy JSON (visible in JSON editor):

      JSON

      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "AWS": "arn:aws:iam::<<account ID copied from PagerDuty>>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
              "StringEquals": {
                "sts:ExternalId": "<<external ID copied from PagerDuty>>"
              }
            }
          }
        ]
      }
      

      📘

      Note:

      Replace the External ID with your actual value from PagerDuty.

      Step 3: Attach Permissions Policy

      Select permissions based on the actions your workflows will perform. You can attach AWS-managed policies, create custom policies, or use a combination.

      Option A: Start with Read-Only Access (Recommended for Testing)

      For initial setup and testing, start with minimal permissions:

      1. On the Add permissions page, search for ReadOnlyAccess.
      2. Select the ReadOnlyAccess AWS-managed policy
      3. Click Next.

      Option B: Create Custom Policy for Specific Actions

      For production use, grant only the permissions necessary for your workflows.

      Example: CloudWatch Logs Access

      JSON

      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "logs:DescribeLogGroups",
              "logs:DescribeLogStreams",
              "logs:GetLogEvents",
              "logs:FilterLogEvents"
            ],
           "Resource": "*"
          } 
        ]
      }
      

      Example: Lambda Function Management

      JSON

      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "lambda:ListFunctions",
              "lambda:GetFunction",
              "lambda:InvokeFunction"
            ],
            "Resource": "*"
          }
        ]
      }
      

      Common Workflow Actions and Required Permissions

      Workflow Action	Required AWS Permissions
      Query CloudWatch Logs	logs:DescribeLogGroups, logs:FilterLogEvents, logs:GetLogEvents
      Invoke Lambda Function	lambda:InvokeFunction, lambda:GetFunction

      Step 4: Name and Review the Role

      1. Enter a Role name (e.g., PagerDuty-IncidentWorkflows-Role).
      2. (Optional) Add a Description (e.g., "Allows PagerDuty Incident Workflows to perform automated actions in AWS").
      3. Add Tags if your organization requires them.
      4. Review the trust policy and permissions.
      5. Click Create role.

      Step 4.1: Copy the Role ARN

      1. After creating the role, view your new role in the roles list.
      2. Click on the role name to view its details.
      3. Copy the ARN from the summary section
         Format: arn:aws:iam::123456789012:role/PagerDuty-IncidentWorkflows-Role

      Step 5: Complete the Configuration in PagerDuty

      1. Return to PagerDuty's Add AWS Connection modal and perform these tasks:

         Field	Description
         Connection Name	Enter a descriptive name (e.g., "Production AWS Account").
         Account ID	Verify this is displayed (pre-filled).
         External ID	Verify your unique external ID is displayed (pre-filled).
         Role ARN	Paste the ARN you copied from AWS.
         Default Region	Enter your preferred AWS region (e.g., us-east-1, us-west-2).
         Who can edit or select the connection	Choose access level: - Default: All admins and global managers. - Custom: Select specific users or teams.
         Allow SRE Agent access	Toggle ON if you want AI-powered agents to use this connection.

      2. Click Add.

      Step 6: Verify the Connection

      PagerDuty automatically verifies the connection by assuming the IAM role you configured.

      Check Connection Status

      1. Navigate to Automation Incident Workflows Workflow Integrations AWS.
      2. Locate your connection in the connections table.
      3. Check the Status column:
         • Healthy: PagerDuty successfully assumed the role and can use this connection.
         • Unhealthy: PagerDuty cannot assume the role. Refer to the troubleshooting instructions below.
           The status is checked automatically when the connection is created and periodically thereafter.

      Steps to Troubleshoot If Status Shows "Unhealthy"

      Verify the following in AWS:

      Step to Troubleshoot	Description
      Role ARN is correct and complete	- Format: arn:aws:iam::123456789012:role/RoleName - No extra spaces or characters
      External ID matches exactly	- Check the trust policy in AWS IAM. - Compare with the External ID shown when you created the connection.
      Trust policy includes PagerDuty's account ID	Principal should be: arn:aws:iam::<<PagerDuty account Id>>:root
      IAM role exists and is active	- Verify the role was not deleted or renamed. - Check whether the role is in the correct AWS account.
      No conflicting conditions in trust policy	Ensure there are no IP restrictions or other conditions that would block PagerDuty.

      After making corrections in AWS, the status will update automatically within a few minutes. You can also edit the connection in PagerDuty to trigger an immediate verification check.

   2. Azure Functions

      Azure Functions

      Field Name	Description
      Connection Name	The name to give the new connection
      API Key	The API Key for your Azure Function
      URL	The URL for the connection, e.g., https://<APP_NAME>.azurewebsites.net/api/<FUNCTION_NAME>

   3. Confluence

      Confluence

      1. After you select Add Connection, provide a Connection Name.
         If you are using Confluence with the SRE Agent, select Allow SRE Agent Access. For more on configuring Confluence with the SRE Agent, please see Agent Tooling Configuration.
      2. Click Add. You will be taken to a page to connect PagerDuty with Confluence.
      3. Select the specific Confluence site to integrate.
      4. Click Accept.

   4. Datadog

      Datadog

      Field Name	Description
      Connection Name	The name for the created connection
      API Key	Your Datadog API key. Can be found in Datadog at Organization Settings Access API Keys
      Application Key	Your Datadog application key. Can be found in Datadog at Personal Settings Security Application Keys, or Organization Settings Access Application Keys
      Allow SRE Agent Access	If you are using Datadog with the SRE Agent, select Allow SRE Agent Access. For more on using Datadog with the SRE Agent, please see Agent Tooling Configuration .

   5. GitHub

      GitHub

      1. After you select Add Connection, provide a Connection Name and click Add. You will be taken to a page to connect PagerDuty with GitHub.

         • If you are using GitHub with the SRE Agent, select Allow SRE Agent Access. For more on configuring GitHub with the SRE Agent, please see Agent Tooling Configuration.

      2. Select the specific GitHub organizations to integrate.

      3. Click Authorize, then Continue.

      4. Review the details and then select Authorize pd-incident-workflows-integration

   6. Grafana

      Grafana

      Field Name	Description
      Connection Name	The name to give the new connection
      Default	Set this as the default connection for Grafana actions
      URL (Self-hosted or Cloud)	The URL of your Grafana instance
      Service Account Token	The Grafana service account token
      Allow SRE Agent Access	If you are using Grafana with the SRE Agent, select Allow SRE Agent Access. For more on using Grafana with the SRE Agent, please see Agent Tooling Configuration .

   7. Jeli

      Jeli

      Field Name	Description
      Connection Name	The name to give the new connection
      API Token	The Jeli API token
      Username	The user who created the Jeli API token

   8. Logz.io

      Logz.io

      Field Name	Description
      Connection Name	The name to give the new connection
      Region	Your Logz.io account region
      API Token	The Logz.io API token

   9. Microsoft Entra ID (Azure AD)

      Microsoft Entra ID (Azure AD)

      Field Name	Description
      Connection Name	The name to give the new connection

      You will be directed to Microsoft's login page. Follow the on-screen prompts to complete the Workflow Integration.

   10. PagerDuty Runbook Automation

       PagerDuty Runbook Automation

       Field Name	Description
       Connection Name	The name to give the new connection
       Subdomain	The subdomain for your runbook.pagerduty.cloud account
       Token	The API Token that will provide authentication
       Username	The user associated with the token

   11. Slack Bot Integration

       Slack Bot Integration

       Field Name	Description
       Connection Name	The name to give the new connection

       You will be directed to Slack's authentication page. Follow the on-screen prompts to complete the Workflow Integration.

   12. Web API

       Web API

       Field Name	Description
       Connection Name	Enter a name for the new connection
       Authentication Headers	Enter the headers to include in Web API calls made with this connection, one per line, e.g., Authorization: Bearer XXXX
       Allowed Hostnames	Enter the hostnames to allow sending these credentials to, one per line. An asterisk (*) may be used for subdomains, e.g., example.com, subdomain.example.com or *.example.com
       Health Check URL	Enter a URL to monitor the health of this connection
       Health Check Method	Select which HTTP method to use for the health check request, HEAD or GET

4. In the field Who can edit or select the connection, select All admins and global managers (default) or All admins, global managers team managers on specific teams. If you choose All admins, global managers team managers on specific teams, select one or more Teams from the Select teams dropdown.

📘

Permission Scope

This setting affects which users can edit the connection or select the connection when configuring actions in an Incident Workflow. This setting does not affect who can invoke an Incident Workflow; that setting is administered while creating or editing an Incident Workflow.

5. Click Add.

Delete a Workflow Integration

1. In the web app, navigate to Integrations Workflow Integrations.
2. Click the Integration Name (e.g., AWS, Azure Functions, etc.) that contains of the connection you'd like to delete.
3. To the right of the connection you'd like to delete, click Delete.
4. In the confirmation modal, click Delete. This action cannot be undone.

Use a Workflow Integration in Incident Workflows

Creating a Workflow Integration will allow you to use some tool-specific Incident Workflow Actions. Please read Incident Workflows for more information.