AWS Credentials - Adaptive Applications - BlueCat Gateway

This section describes how to configure the credentials that Cloud Discovery & Visibility uses to access your AWS infrastructure.

In order to configure Cloud Discovery & Visibility (CDV) for AWS, you must have the following:

The AWS access key ID and secret access key to access your AWS infrastructure. You can find these on the My Security Credentials page of your account on AWS.
Tip: If you forget your secret access key, you can create a new set of access keys and mark the old set as inactive.
If your account requires an Amazon Resource Name (ARN) token for multi-factor authentication (MFA) or role assumption, retrieve those values for your AWS environment.
Note: When running visibility jobs, CDV reuses configured credentials during AWS authentication to retrieve changes to resources. If your authentication system uses multi-factor authentication (MFA), BlueCat recommends using a service account that can continually authenticate to AWS without user verification.
If you have multiple AWS accounts or AWS Role ARNs, you can set up CDV to use multiple accounts. This is especially useful if CDV needs to use different accounts or Role ARNs for different regions.

Tip: You can also automate discovery using the BlueCat Cloud Discovery & Visibility REST API. For more information on doing so, see REST API endpoints.

When configuring CDV's credentials for an AWS environment, there are three general scenarios:

Automatically use EC2 instance credentials: If you're running CDV on an AWS EC2 instance, you can tell CDV to automatically acquire authorization credentials from the EC2 instance metadata.
Manually configure a single AWS account: You can configure a single set of AWS credentials manually.
Manually configure multiple AWS accounts: You can configure multiple AWS credentials, each of which can apply to a different region.

Fields in the AWS Credentials tab are as follows:

Field/Option	Description
Use EC2 instance credentials	Appears only when CDV is deployed on EC2 instances in AWS environments. Select this checkbox to tell CDV to use the credentials of the user that deployed the CDV instance in AWS for authentication in AWS environments. Note: Selecting this checkbox hides other fields in this section. For more details, see To automatically authenticate CDV using the credentials on the EC2 instance below.

Field/Option

Description

Use EC2 instance credentials

Appears only when CDV is deployed on EC2 instances in AWS environments. Select this checkbox to tell CDV to use the credentials of the user that deployed the CDV instance in AWS for authentication in AWS environments.

Note: Selecting this checkbox hides other fields in this section.

For more details, see To automatically authenticate CDV using the credentials on the EC2 instance below.

Basic AWS parameters

Field/Option	Description
AWS Access Key ID	The AWS access key ID for your environment.
AWS Secret Access Key	The AWS secret access key that is associated with the specified AWS Access Key ID.

Advanced AWS parameters

Field/Option Description

Field/Option	Description
Enable AWS Multifactor Authentication AWS MFA Token ARN	Select the Enable AWS Multifactor Authentication checkbox to enable AWS multi-factor authentication. Also, in AWS MFA Token ARN, enter the AWS multi-factor authentication token ARN. This token must be in the following format: `arn:aws:iam::<account_number>:mfa/<account_id>` For example: `arn:aws:iam::123456789012:mfa/exampleUser`
Enable AWS Role Assumption AWS Role ARN	Select the Enable AWS Role Assumption checkbox to enable AWS role assumption. This means CDV can use a temporary set of security credentials to access AWS resources to which it normally doesn't have access. Also, in AWS Role ARN, enter the AWS role assumption ARN. The AWS role ARN must be in the following format: `arn:aws:iam::<account_role_number>:role/<role_name>` For example: `arn:aws:iam::987654321098:role/developerRole`

Enable AWS Multifactor Authentication

AWS MFA Token ARN

Select the Enable AWS Multifactor Authentication checkbox to enable AWS multi-factor authentication.

Also, in AWS MFA Token ARN, enter the AWS multi-factor authentication token ARN. This token must be in the following format:

arn:aws:iam::<account_number>:mfa/<account_id>

For example:

arn:aws:iam::123456789012:mfa/exampleUser

Enable AWS Role Assumption

AWS Role ARN

Select the Enable AWS Role Assumption checkbox to enable AWS role assumption. This means CDV can use a temporary set of security credentials to access AWS resources to which it normally doesn't have access.

Also, in AWS Role ARN, enter the AWS role assumption ARN. The AWS role ARN must be in the following format:

arn:aws:iam::<account_role_number>:role/<role_name>

For example:

arn:aws:iam::987654321098:role/developerRole

To automatically authenticate CDV using the credentials on the EC2 instance:

Make sure the EC2 instance credentials have the permissions needed by CDV.
In CDV, click AWS in the banner at the top and then click Setup.
Click to expand AWS Credentials (if necessary), then click the Basic tab.
Click to select the Use EC2 instance credentials checkbox.
When selected, the credentials of the user that deployed the CDV instance in AWS are used for authentication. CDV also hides other credential fields from view.
Attention:
- The Use EC2 instance credentials checkbox only appears when CDV is deployed on EC2 instances in AWS environments. For more information on deploying CDV on an AWS EC2 instance, see Installing CDV on AWS EC2 instances.
- If you have CDV deployed on an EC2 instance in AWS and Use EC2 instance credentials does not appear, make sure that the EC2 instance exists and retrieve the instance metadata. For more information, see Retrieving AWS EC2 instance metadata.

To configure AWS credentials manually:

In Cloud Discovery & Visibility, click AWS in the banner at the top and then click Setup.
Click to expand AWS Credentials (if necessary), then click the Basic tab.
If the Use EC2 instance credentials checkbox is selected, click to clear it.
Under AWS Credentials, enter your AWS credentials:
- AWS Access Key ID: Enter the AWS access key ID for your environment.
- AWS Secret Access Key: Enter the AWS secret access key associated to the AWS secret key ID entered.
- Enable AWS Multifactor Authentication: Select this checkbox to enable AWS multi-factor authentication. Also make sure you enter the AWS MFA Token ARN.
- Enable AWS Role Assumption: Select this checkbox to enable AWS role assumption. Also make sure you enter the AWS Role ARN.
For more details on these fields, see the parameter list above.

To apply multiple AWS credentials for (optionally) different regions:

In order to apply different AWS credentials for different regions, you must first prepare a text file with credential information for each region. Each line in the file should define a single set of credentials, in one of the following formats:

<Region>, <AWS_access_key>, <AWS_secret_key>

<Region>, <AWS_access_key>, <AWS_secret_key>, <Role_ARN_assumption>

Where:

Region: The region to which this line's credentials apply, such as us-west-2.
AWS_access_key: The AWS access key ID for your environment.
AWS_secret_key: The AWS secret access key that is associated with the specified AWS access key.
Role_ARN_assumption: The AWS role assumption ARN.

Tip: For more details on these fields, see the parameter list above.

When you finish editing the multi-credentials text file:

In Cloud Discovery & Visibility, click AWS in the banner at the top and then click Setup.
Click to expand AWS Credentials (if necessary), then click the Advanced tab.
Drag the multi-credentials text file into the Multiple Credentials File area.
You can also click the Multiple Credentials File area to manually navigate to the desired file.

AWS Credentials - Adaptive Applications - BlueCat Gateway - 22.2.2

Cloud Discovery & Visibility Administration Guide