[AWS Onboarding] Add Connect Account step UI

[juliaElastic]

Summary

Implements the Connect Account step of the AWS onboarding flow (issue #7620), letting users choose how Elastic authenticates to their AWS account before proceeding to subsequent steps.

Plan to move the Account step later in the flow, to start with Services and show the Account step based on selected services: FI only if supported by selected services, ECF/Firehose doesn't need Account setup.

What's added

Fleet plugin — AwsConnectSetup component (exported as LazyAwsConnectSetup):

• AwsAuthTypeSelector: select between Identity Federation (cloud connector), Static keys and ** Temporary keys**
• AwsIdentityFederationSetup: tabbed UI with an Existing Identity selector (reuses CloudConnectorSelector) and a New Identity form (Role ARN + External ID + connector name + CloudFormation launcher). The "Create Identity" button calls the cloud connector API and auto-selects the new connector on success.
• AwsStaticKeysForm: fields for Access Key ID, Secret Access Key
• AwsTemporaryKeysForm: fields for Access Key ID, Secret Access Key, and Session Token
• useCreateCloudConnector: react-query mutation hook wrapping POST /api/fleet/cloud_connectors

Ingest Hub plugin — onboarding flow wiring:

• onNext callback threaded from OnboardingShell → step components → AwsConnectSetup; clicking Next marks the step complete and advances to the next step
• OnboardingFlowProvider / useOnboardingFlow: React context backed by sessionStorage (onboarding.aws.connectStep) holding the selected connectorId, entered staticKeys or temporaryKeys as a single object
• Connector selection and static/temporary key fields are preserved when navigating back to the Connect step: initial values are passed into the sub-forms on remount, and auth type is restored from stored state
• Added Scout UI tests

Test plan

• Enable feature flag:

feature_flags.overrides:
  ingestHub.onboardingEnabled: true

• Select Identity Federation, create a new identity via CloudFormation → connector appears in Existing tab and is auto-selected → Next button becomes active
• Select an existing identity from the dropdown → Next button becomes active
• Switch to Static keys, enter Access Key ID + Secret → Next button becomes active
• Switch to Temporary keys, enter form fields → Next button becomes active
• Click Next on Connect step → moves to Services step; click back → previously selected connector / entered keys are still shown
• Refresh page while on Connect step → session storage restores prior selections

🤖 Generated with Claude Code

Screenshots

[kibanamachine]

🤖 Prompt Changes Detected

Changes have been detected to one or more prompt files in the Elastic Assistant plugin.

Please remember to update the integrations repository with your prompt changes to ensure consistency across all deployments.

Next Steps:

1. Follow the documentation in x-pack/solutions/security/packages/security-ai-prompts/README.md to update the corresponding prompt files
2. Make the changes in the integrations repository
3. Test your changes in the integrations environment
4. Ensure prompt consistency across all deployments

This is an automated reminder to help maintain prompt consistency across repositories.

[infra-vault-gh-plugin-prod]

Pinging @elastic/fleet (Team:Fleet)

[maxcold]

@Omolola-Akinleye all changes are in x-pack/platform/plugins/shared/fleet/public/components/cloud_connector trigger request review from contextual-security-apps team. Can you update the CODEOWNERS to the correct owner?

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds the AWS “Connect Account” step to the Ingest Hub onboarding flow by integrating Fleet’s new AwsConnectSetup UI and persisting user selections across navigation.

Changes:

• Wire Ingest Hub onboarding “Connect” step to Fleet’s LazyAwsConnectSetup, including step-to-step navigation (onNext)
• Add session-backed onboarding flow context to preserve connector selection / entered keys across back navigation
• Extend Fleet with AWS connect setup UI + create-cloud-connector hook and update cloud connector secret-reference handling + tests

Reviewed changes

Copilot reviewed 25 out of 25 changed files in this pull request and generated 14 comments.

Show a summary per file

File	Description
x-pack/platform/plugins/shared/ingest_hub/kibana.jsonc	Declares Fleet as a required plugin for the new Connect step integration
x-pack/platform/plugins/shared/ingest_hub/public/onboarding/onboarding_app.tsx	Adds React Query + onboarding flow provider around the onboarding router
x-pack/platform/plugins/shared/ingest_hub/public/onboarding/step_components/connect_step.tsx	Replaces placeholder “Connect” UI with Fleet’s lazy AWS connect setup component
x-pack/platform/plugins/shared/ingest_hub/public/onboarding/onboarding_flow_context.tsx	Introduces sessionStorage-backed state for the Connect step
x-pack/platform/plugins/shared/ingest_hub/public/onboarding/onboarding_shell.tsx	Threads onNext into step components and advances the flow when pressed
x-pack/platform/plugins/shared/ingest_hub/test/scout/ui/tests/onboarding_connect_step.spec.ts	Adds Scout UI coverage for the Connect step behaviors
x-pack/platform/plugins/shared/fleet/public/components/cloud_connector/aws_connect_setup/*	Implements the AWS auth-type selector + sub-forms + identity federation creation flow
x-pack/platform/plugins/shared/fleet/public/components/cloud_connector/hooks/use_create_cloud_connector.ts	Adds a React Query mutation wrapper for creating cloud connectors
x-pack/platform/plugins/shared/fleet/common/types/models/cloud_connector.ts	Adds a secret-reference type guard and broadens AWS external_id typing
x-pack/platform/plugins/shared/fleet/server/services/cloud_connector.ts	Uses the new type guard when extracting/validating secret references
packages/kbn-optimizer/limits.yml	Updates optimizer budgets for Fleet and Ingest Hub bundles

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 25 out of 25 changed files in this pull request and generated 12 comments.

[criamico]

A review with Claude flagged that this useEffect might create issues and suggested to run only on initial load, since it changes the selected tab every time cloudConnectors.length changes

[juliaElastic]

addressed in da5b0b1

[kibanamachine]

💚 Build Succeeded

• Buildkite Build
• Commit: f14c293
• Build duration: 54 mins

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
fleet	2224	2231	+7
ingestHub	43	44	+1
total			+8

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
fleet	2.8MB	2.8MB	+13.1KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
fleet	211.3KB	211.8KB	+521.0B
ingestHub	11.3KB	13.1KB	+1.8KB
total			+2.3KB

History

• 💛 Build #448916 was flaky 5b47ff2
• 💔 Build #448902 failed c16b79c
• 💔 Build #448888 failed 3de70d4
• 💔 Build #448737 failed b4fcaca
• 💔 Build #448179 failed 9f4a2f1
• 💔 Build #448160 failed 81c0a3c

[criamico]

Code LGTM 🚀

[rStelmach]

obs-onboarding changes LGTM