AWS Authentication
  • 02 Oct 2024
  • Dark
    Light
  • PDF

AWS Authentication

  • Dark
    Light
  • PDF

Article summary

Authenticating AWS Adapters

This document will go through the steps for authenticating any AWS Adapter with AWS Authentication techniques. Properly configuring the properties for an adapter in IAP is critical for getting the adapter online. You can read more about adapter authentication HERE.

AWS Authentication

The AWS Adapters requires AWS Authentication, the auth_method should be set to aws_authentication. The adapter utilizes AWS signature 4 authentication. There are 3 flavors of doing this.

The first way is using a "service" account and its AWS keys to authentication as that account. In this case, you will get the aws_access_key, aws_secret_key, and aws_session_token from AWS and configure them into the adapter service instance as shown below.

The second way is using AWS STS. this still requires a "service" account and its AWS keys to authentication as that account. In this case, you will get the aws_access_key, aws_secret_key, and aws_session_token from AWS and configure them into the adapter service instance as shown below. In addition, you will provide STS paramaters in the workflow tasks that tell the adapter the role you want used on the particular call.

The third authentication method is to use an IAM role. With this method, you do not need any authentication keys as the adapter will utilize an "internal" AWS call to get the things that it needs for authentication. Since the adapter needs to make the call to this "internal" AWS IP address, the IAP server needs to be where it has access to that address or you will not be able to use this method.

If you change authentication methods, you should change this section accordingly and merge it back into the adapter repository.

AWS Signature 4 Service Account Authentication

The AWS Adapters requires AWS Signature 4 Authentication. If you change authentication methods, you should change this section accordingly and merge it back into the adapter repository.

STEPS

  1. Ensure you have access to the Amazon Service
  2. Follow the steps in the README.md to import the adapter into IAP if you have not already done so
  3. Use the properties below for the properties.authentication field
"authentication": {
  "auth_method": "aws_authentication",
  "aws_access_key": "aws_access_key",
  "aws_secret_key": "aws_secret_key",
  "aws_session_token": "aws_session_token"
} f

you can leave all of the other properties in the authentication section, they will not be used for AWS authentication.
4. Restart the adapter. If your properties were set correctly, the adapter should go online.

AWS Security Token Service

The AWS Adapters also supports AWS Security Token Service (STS) Authentication. For using this authentication, you need to use the calls in the Adapter that have the STSRole suffix on them and pass the STS information into the method.

{
  "RoleArn": "arn:aws:iam::1234567:role/my_role",
  "RoleSessionName": "mySession"
}

The AWS STS Authentication goes to the AWS STS Service endpoint in order to validate that the primary "service" account the adapter has authenticated with has the permission to assume the role. This call is made to sts.amazonaws.com or a regional sts sevice (e.g. sts.us-east-1.amazonaws.com). By default traffic to these endpoints will go out through the Internet. In the case where you would prefer these route through your network, it is possible to change the STS config for the adapter. The proxy field should point to the AWS loadbalancer or a proxy server that forwards to AWS STS. In Itential Cloud, this can be NAT'd to your network. In addition to this, you may need to set the endpoint in order to have the STS SSL certificate validated successfully. By default the adapter will use sts regional servers. If the loadbalancer and proxy are set up for that you should be fine. If however, they point to the global STS service (sts.amazonaws.com) You will need to set the global as the endpoint or the STS certificate will be rejected due to the hosts not matching.

"authentication": {
  "aws_sts": {
    "endpoint": "<sts certificate endpoint>",
    "proxy": "<proxy/loadbalancer ip>",
  }
}

AWS IAM Role

The AWS Adapters also supports AWS IAM Role Authentication. For using this authentication, you need to use the calls in the Adapter that have the STSRole suffix on them and pass the RoleName into the method.

"authentication": {
  "auth_method": "aws_authentication",
  "aws_iam_role": "role_arn"
}

AMAZON STEPS FOR IAM ROLE

Increase number of hops if running IAP inside of docker on an AWS instance

aws sso login --profile aws-bota-1
<export aws keys for CLI access>

Amazon ec2 modify-instance-metadata-options  --instance-id i-0e150236026b7c45d  --http-put-response-hop-limit 3 --http-endpoint enabled --region us-east-1

Create a new role and attach to it policies:

  • go to your instance, select it
  • Actions->Security->Modify IAM Role
  • Click 'Create New IAM Role'
  • Create a role:
Trusted entity type: AWS service
Use Case: <service>

Add needed policies to the role

Save the role

Go back to and Actions->Security->Modify IAM Role, associate newly created role with your instance

Troubleshooting

  • Make sure you copied over the correct access key, secret key and session token.
  • Turn on debug level logs for the adapter in IAP Admin Essentials.
  • Turn on auth_logging for the adapter in IAP Admin Essentials (adapter properties).
  • Investigate the logs - in particular:
    • The FULL REQUEST log to make sure the proper headers are being sent with the request.
    • The FULL BODY log to make sure the payload is accurate.
    • The CALL RETURN log to see what the other system is telling us.
  • Credentials should be ** masked ** by the adapter so make sure you verify the username and password - including that there are erroneous spaces at the front or end.
  • Remember when you are done to turn auth_logging off as you do not want to log credentials.
  • For IAM, you can run this on the IAP server to verify you are getting to the "internal" AWS Server
TOKEN=`curl -v -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-EC2-metadata-token-ttl-seconds: 21600"` && curl -v -H "X-aws-EC2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam/security-credentials/<rolename>

Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.