Creating AWS discovery configurations - BlueCat Edge - Service Point v4.x.x

BlueCat Edge User Guide
ft:locale
en-US
Product name
BlueCat Edge
Version
Service Point v4.x.x
Before proceeding to configure the discovery configuration, you must create secrets in the secrets manager. This ensures that there are credentials that can be used by the discovery configuration to authenticate with the selected environment to discover DNS data. Discovery configurations used to retrieve data from AWS environments must have secrets configured for the following credentials:
  • AWS access key ID
  • AWS secret access key
  • AWS session token (Optional, depending on how AWS credentials are generated)

For more information, refer to Secrets manager.

Attention: If you are using HashiCorp Vault to store your secrets, you must add the Vault credentials to the secrets manager.
Attention: AWS discovery configurations can only be associated to discovery instances running software version 1.1.0 and deployed on DNS resolver service running software version 4.0.0.

How AWS credentials are applied during discovery

When you configure AWS discovery, different credentials may be applied depending on the configuration:
  • Base credentials—the base credentials include the access key ID, secret access key, and (optionally) the session token. This might refer to a user or an IAM role. If these credentials are used for discovery where no role ARN is specified in the primary or secondary configurations, the base credentials must have discovery permissions as described in step 2 under Configuring AWS permission requirements.
  • If a role ARN is specified in the primary configuration, base credentials must have permissions to assume this role. The role must also have discovery permissions, unless only secondary configurations are used for discovery.
  • If a secondary configuration is specified, the role ARN must be assumable by the base credentials (if no primary role ARN is specified), or the primary role ARN (if specified). The secondary role ARN must have discovery permissions.
Note: If no role ARNs are defined in any configuration, the base credentials will be used with no STS AssumeRole command.

Prerequisites

Before you begin, ensure that the IAM user or role used to discover DNS Data has the correct permissions to retrieve the DNS data from your AWS environment. You must also ensure that your service point has firewall rules that allow it to connect to the cloud API endpoint.

Cloud API access requirements

The service point that is configured to use the discovery configuration must be able to access the following cloud API endpoint:
  • .amazonaws.com
Note: For more information on AWS API endpoints, refer to https://docs.aws.amazon.com/general/latest/gr/rande.html.
Configuring AWS permission requirements
  1. Create an IAM role. For more information on creating IAM roles, refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html.
  2. Create an IAM policy that has the following permissions:
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVpcEndpoints"
                "ec2:DescribeVpcs",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByVPC",
                "route53:ListResourceRecordSets",
            ],
            "Resource": "*"
        }
    ]
}
    Note: These permissions are provided for guidance but might not be suitable for environments with restrictive access. You can configure granular permissions to set boundaries on the resources that the discovery configuration can discover.
  3. If a primary role is assumed using the base credentials or a secondary role is assumed using either the base credentials or primary role, create an STS AssumeRole policy with the following permissions:
    {
    "Version": "2012-10-17",
    "Statement": [   
       {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::123456789012:role/cloud_resolver_remote"
            ]
        }
    ]
}
    Where the resource is as follows:
    • The ARN of a remote account for which the discovery configuration can Assume Role.
      Note: You can list multiple resources.
  4. Assign the policies to the IAM role that will be used by the discovery configuration. For more information, refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html.

Creating the AWS discovery configuration

To create the AWS discovery configuration

  1. In the top navigation bar, click and select Discovery service > Configurations.
  2. To add a new discovery configuration, click New > AWS.
  3. Enter the name of the discovery configuration.
  4. Under Polling interval, enter the interval at which the source of the DNS data is polled. The minimum value is 60 seconds.
  5. Under Discovery timeout, enter the maximum length of time that the Discovery Instance attempts to discover DNS data for the configuration before it times out, in seconds. The default value is 1800 seconds (30 minutes).
  6. Under On discovery failure, select one of the following options to determine how the global discovery configuration handles failures to retrieve data:
    • Keep last data (safe)—the discovery configuration uses the last successfully retrieved set of DNS data.
    • Overwrite last data—the discovery configuration overwrites the DNS data from the last successful retrieval.
  7. Under Regions, enter the AWS regions for which the discovery information retrieves DNS zone information. As you enter a region, click ENTER to add the region and configure another. Additionally, you can click X next to a region name to remove it.
  8. Select Generate reverse zones to automatically generate reverse zones for cloud discovered network space.
  9. Select Only use secondary configs for discovery to indicate that the primary credentials and role will only be used to assume secondary roles and will not be used to discover DNS data.
  10. Under HCV authentication, enter the following information to use HashiCorp Vault (HCV) authentication.
    • Use HashiCorp Vault for retrieving credentials—select this checkbox to use secret credentials stored in HashiCorp Vault.
    • Host—the base URL of HashiCorp Vault server where the secrets are stored.
    • Port—the port used to retrieve credentials stored in the HashiCorp Vault server.
    • Namespace (required if using HashiCorp Vault namespaces)— If you are using a namespace, the value is the namespace where the user's secrets are stored in the vault. For more information, refer to https://developer.hashicorp.com/vault/docs/enterprise/namespaces.
    • Role ID—select the ID of the role that you would like to use to authenticate against HashiCorp Vault. For more information, refer to https://developer.hashicorp.com/vault/api-docs/auth/approle#read-approle-role-id.
    • Secret ID—select the secret ID generated from the role ID that is used to authenticate against HashiCorp Vault. For more information, refer to https://developer.hashicorp.com/vault/api-docs/auth/approle#generate-new-secret-id.
    • Secret Path—the path where you have stored the secrets within the HashiCorp Vault server. You can enter the path to locations where BlueCat Edge credentials and discovery secrets are stored.

      The discovery configuration uses the HashiCorp Vault API to look up secrets. You must prefix paths with /v1/. For example, if secrets are stored within the secret/data/edgeresolver path, the Secret Path value would be /v1/secret/data/edgeresolver.

  11. Under Primary account, specify the AWS configuration to discover DNS data from:
    Attention: The following AWS configurations are only used to discover DNS data when the Only use secondary configs for discovery option is not enabled. Otherwise, they assume the primary and secondary roles.
    • Access Key ID—select the AWS access key ID stored in secrets manager that will be used to discover the DNS data.
      Note: If you are using credentials from HashiCorp Vault, enter the key name for the AWS access key ID stored in HashiCorp Vault.
    • Secret access key—select the AWS secret access key stored in secrets manager that will be used to discover the DNS data.
      Note: If you are using credentials from HashiCorp Vault, enter the key name for the AWS secret access key stored in HashiCorp Vault.
    • Session token (Optional)—select the AWS session token stored in secrets manager that will be used to discover the DNS data.
      Note: If you are using credentials from HashiCorp Vault, enter the key name for the AWS session token stored in HashiCorp Vault.
    • Role ARN (Optional)—enter the Amazon Resource Name (ARN) of the role.
    • Session Name (Optional)—enter the role session name to assume. This is only required when the Role ARN is specified.
    • External ID (Optional)—enter the external ID for the role to assume. This is only required when the Role ARN is specified. For more information, refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html#id_roles_third-party_external-id.
  12. Under AWS secondary accounts, specify one or more AWS configurations to discover DNS data from:
    • Role ARN—enter the Amazon Resource Name (ARN) of the role.
      Note: This is required for secondary account configurations.
    • Session Name (Optional)—enter the role session name to assume.
    • External ID (Optional)—enter the external ID for the role to assume. For more information, refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html#id_roles_third-party_external-id.
    • Under Regions, enter the AWS regions for which the discovery information retrieves DNS zone information. As you enter a region, click ENTER to add the region and configure another. Additionally, you can click X next to a region name to remove it.
      Note: The regions configured per AWS configuration override the regions configured at the global level. This field is optional.
    • On discovery failure: select one of the following options to determine how the discovery configuration handles failures to retrieve data from this AWS configuration:
      • Keep last data (safe): the discovery configuration uses the last successfully retrieved set of DNS data.
      • Overwrite last data: the discovery configuration overwrites the DNS data from the last successful retrieval.
      Note: The discovery failure options configured per AWS configuration override the discovery option failures configured at the global level. This field is optional.
    • Click to add the AWS configurations.
  13. Click Save.