While editing an Amazon Web Services (AWS) Discovery or Visibility, Credentials settings contain AWS credentials that Cloud Discovery & Visibility uses to access your AWS infrastructure. You will see these settings when updating the credentials of a Discovery or Visibility manager, or when creating a new Discovery or Visibility.
By default, CDV assumes you are setting up a single account to use across your entire AWS infrastructure (with Single credential selected). You can specify that CDV use credentials from the EC2 instance. Or, you can instead set up multiple AWS credentials for different regions (or the same region). In all cases, there are several possible authentication scenarios. For more details on determining which scenario works best for your AWS infrastructures, see About AWS authentication in Cloud Discovery & Visibility..
AWS credentials
| Field/Option | Description |
|---|---|
| Single credentials and Multiple credentials |
To specify a single account to use across your entire AWS infrastructure, select Single credential. You cannot select Single credential and Multiple credentials at the same time. You will specify the rest of the account credentials in this window. To instead set up multiple AWS credentials for different regions (or the same region), select Multiple credentials. You will need to set up a text file with details for each region. |
| Use EC2 instance credentials |
(Appears only when Single credential is selected and CDV detects that it is deployed on an EC2 instance in an AWS environment.) Select this checkbox to tell CDV to use AWS Assume Role providers for the EC2 instance — that is, the credentials of the user that deployed the CDV instance in AWS for authentication in AWS environments. Note: Selecting this checkbox hides other fields in this section.
For more details, see Setting up CDV to use EC2 instance accounts for authentication. |
| Multiple credentials file |
(Appears only when Multiple credentials is selected.) A text file with multiple credentials, including credential information for each desired region. Each line in the file defines a single set of credentials, listing the region, access key, and (optionally) the ARN role that CDV should use when using those specific credentials. After creating your multiple credentials file, drag it onto the Multiple credentials file box to apply it to CDV. Or, click within the area, then navigate to and select the desired file. For more details on setting up this file, see Setting up multiple AWS credentials for multiple regions. Note: Selecting this checkbox hides other fields in this section.
|
Basic AWS parameters
(These settings appear only when Single credential is selected.)
| Field/Option | Description |
|---|---|
| AWS access key ID | The AWS access key ID for your environment. |
| AWS secret access key |
The AWS secret access key that is associated with the specified AWS access key ID. |
Advanced AWS parameters
(These settings appear only when Single credential is selected.)
| Field/Option | Description |
|---|---|
| Enable AWS Role
Assumption AWS Role ARN |
Select the Enable AWS Role Assumption checkbox to enable AWS role assumption. This means CDV can use a temporary set of security credentials to access AWS resources to which it normally doesn't have access. Also, in AWS Role ARN, enter the AWS role assumption ARN. The AWS role ARN must be in the following format: For
example:
|
| Discovery for Organization |
Tick this checkbox to enable Organization-level Discovery. If this checkbox is cleared, CDV will assume that Discovery jobs are not to be run at the Organization level. All other fields in the AWS Account Filter section will be disabled. |
| Role name used for Discovery Organization |
(Available only if Discovery for Organization is ticked.) The name of the user or role that you configured for CDV to use with the Organization. This should be the user or role with the AssumeRole permission. For more details on setting up this role, see Setting up and running AWS Organization-level discovery and visibility. |
| Role ARN used for Operations of Organizations | (Available only if Discovery for Organization is ticked.) (Optional.) The ARN (Amazon Resource Name) of the AWS IAM Role created in either the Management or Delegated admin account. This role will be assumed by member accounts during AWS Organization discovery. If left blank, CDV will perform organization-level discovery using either the Management Account or Delegated Admin Account. |