Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

Connection Manager

Amazon Web Services (AWS)

search

Please Note:

Amazon Web Services (AWS)

AWS connections to the CipherTrust Manager can be configured using the following:

Managing AWS Connections using GUI

  • Access Key ID - an access key is a long-term credential for an AWS account root user. An access key consists of two parts: an access key ID and a secret access key (pretty much like a user name and password). This is the user name part.

  • Secret Access Key – this is the password part of the access key. Select the Show Secret Access Key check box to view the password as open text.

  • Cloud Name - the name of the AWS cloud to connect to. Currently, only the following options are available:

    • AWS

    • AWS-US-GOV

    • AWS-CN

  • Assume Role - the AWS Assume Role. For more details, refer to the AWS documentation, (see "Identity and Access Management (IAM) role").

  • Assume Role External ID - the external ID for an IAM role in AWS (Assume Role). This is something that you may want to use when you need to give access to your AWS resources to a third party. For more details, refer to the AWS documentation (see "Identity and Access Management (IAM) role").

Click Next to move to the next step.

Before adding a New AWS connection, ensure that time on the CipherTrust Manager and AWS is in sync. To change the time on the CipherTrust Manager, use the NTP server or run the date or timedatectl command.

Managing AWS Connections using ksctl

The following operations can be performed:

  • Create/Get/Update/Delete an AWS connection

  • List all AWS connections

  • Test an existing AWS connection

  • Test the new AWS connection parameters before establishing the connection

Creating an AWS Connection

When creating an AWS connection, you can specify the AWS Security Token Service (AWS STS) endpoints. By default, the AWS STS is available as a global service, and all AWS STS requests go to a single endpoint at https://sts.amazonaws.com. The global requests map to the US East (N. Virginia) Region, us-east-1.

The valid values are:

  • Legacy (default): Uses the global AWS STS endpoint, sts.amazonaws.com.

  • Regional: The SDK or tool always uses the AWS STS endpoint for the currently configured Region. This is the recommended setting to reduce latency, build in redundancy, and increase session token validity.

To know more about AWS STS, refer to Managing AWS STS in an AWS Region.

Note

When connectivity to the global AWS STS endpoint is unavailable, set aws_sts_regional_endpoints to a reachable regional AWS STS endpoint.

Syntax

ksctl connectionmgmt aws create --name <connection-name> --clientid <access-key-id> --secret <aws-client-secret> --assumerolearn <assume-role-arn> --assumeroleexternalid <assume-role-external-id> --cloudname <cloud-name> --description <description> --meta <key:value> --products <products-names> --json-file <connection-information-in-JSON-format-via-file>

Example

ksctl connectionmgmt aws create --name aws-connection --clientid AKIAJBLNQGTQFOWDRSRQ --secret DHZc9bi/rrJZW3PRfWrkgn3KYVMDyI1bnedKPmlwU

Response

{
    "id": "7b736162-3330-49f3-b631-044e107df033",
    "uri": "kylo:kylo:connectionmgmt:connections:aws-connection-7b736162-3330-49f3-b631-044e107df033",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2022-08-17T08:46:58.29948682Z",
    "channel": "",
    "updatedAt": "2022-08-17T08:46:58.296588992Z",
    "service": "aws",
    "category": "cloud",
    "last_connection_ok": null,
    "last_connection_at": "0001-01-01T00:00:00Z",
    "name": "aws-connection",
    "access_key_id": "AKIAJBLNQGTQFOWDRSRQ",
    "cloud_name": "aws",
    "aws_sts_regional_endpoints": "legacy",
    "aws_region": "us-east-1"
}

Getting Details of an AWS Connection

To get details of an AWS connection, run:

Syntax

ksctl connectionmgmt aws get --id <connection-name/Id>

Example

ksctl connectionmgmt aws get --id 5c7a0dab-6358-42dd-8809-257a96f0c010

Response

{
    "id": "5c7a0dab-6358-42dd-8809-257a96f0c010",
    "uri": "kylo:kylo:connectionmgmt:connections:aws-connection-5c7a0dab-6358-42dd-8809-257a96f0c010",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2022-08-22T08:35:45.766632Z",
    "updatedAt": "2022-08-22T08:43:25.392906Z",
    "service": "aws",
    "category": "cloud",
    "last_connection_ok": null,
    "last_connection_at": "0001-01-01T00:00:00Z",
    "name": "aws-connection",
    "access_key_id": "AKIAJBLNQGTQFOWDRSRQ",
    "cloud_name": "aws",
    "aws_sts_regional_endpoints": "legacy",
    "aws_region": "us-east-1"
}

Updating an AWS Connection

To update an AWS connection, run:

Syntax

ksctl connectionmgmt aws modify --id <connection-name/Id> --clientid <access-key-id> --secret <aws-client-secret> --assumerolearn <assume-role-arn> --assumeroleexternalid <assume-role-external-id> --cloudname <cloud-name> --description  <description> --meta <key:value> --products <products-names> --json-file <connection-information-in-JSON-format-via-file>

Example

ksctl connectionmgmt aws modify --id 5c7a0dab-6358-42dd-8809-257a96f0c010 --clientid newclientid

Response

{
    "id": "5c7a0dab-6358-42dd-8809-257a96f0c010",
    "uri": "kylo:kylo:connectionmgmt:connections:aws-connection-5c7a0dab-6358-42dd-8809-257a96f0c010",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2022-08-22T08:35:45.766632Z",
    "updatedAt": "2022-08-22T08:42:46.803919148Z",
    "service": "aws",
    "category": "cloud",
    "last_connection_ok": null,
    "last_connection_at": "0001-01-01T00:00:00Z",
    "name": "aws-connection",
    "access_key_id": "newclientid",
    "cloud_name": "aws",
    "aws_sts_regional_endpoints": "legacy",
    "aws_region": "us-east-1"
}

Deleting an AWS Connection

To delete an AWS connection, run:

Syntax

ksctl connectionmgmt aws get --id <connection-name/Id>

Example

ksctl connectionmgmt aws get --id 5c7a0dab-6358-42dd-8809-257a96f0c010

There will be no response if the AWS connection is deleted successfully.

Getting List of AWS Connections

To list all the AWS connections, run:

Syntax

ksctl connectionmgmt aws list

Example

ksctl connectionmgmt aws list

Response

{
    "skip": 0,
    "limit": 10,
    "total": 1,
    "resources": [
            {
                    "id": "5c7a0dab-6358-42dd-8809-257a96f0c010",
                    "uri": "kylo:kylo:connectionmgmt:connections:aws-connection-5c7a0dab-6358-42dd-8809-257a96f0c010",
                    "account": "kylo:kylo:admin:accounts:kylo",
                    "createdAt": "2022-08-22T08:35:45.766632Z",
                    "updatedAt": "2022-08-22T08:43:25.392906Z",
                    "service": "aws",
                    "category": "cloud",
                    "last_connection_ok": null,
                    "last_connection_at": "0001-01-01T00:00:00Z",
                    "name": "aws-connection",
                    "access_key_id": "AKIAJBLfdgTQFOWDRSRQ",
                    "cloud_name": "aws",
                    "aws_sts_regional_endpoints": "legacy",
                    "aws_region": "us-east-1"
            }
    ]
}

Testing an Existing AWS Connection

To test an existing AWS connection, run:

Syntax

ksctl connectionmgmt aws test --id <connection-name/Id>

Example

ksctl connectionmgmt aws test --id 5c7a0dab-6358-42dd-8809-257a96f0c010

Response

{
    "connection_ok": true
}

Testing a New AWS Connection

To test the parameters of a new AWS connection, run:

Syntax

ksctl connectionmgmt aws test --clientid <access-key-id> --secret <aws-client-secret> --assumerolearn <assume-role-arn> --assumeroleexternalid <assume-role-external-id> --cloudname <cloud-name>

Example

ksctl connectionmgmt aws create --name aws-connection --clientid AKIAJBLNQGTQFOWDRSRQ --secret DHZc9bi/rrJZW3PRfWrkgn3KYVMDyI1bnedKPmlwU

Response

{
    "connection_ok": true
}