Amazon Web Services (AWS)
AWS connections to the CipherTrust Manager can be configured using the following:
Managing AWS Connections using GUI
Access Key ID - an access key is a long-term credential for an AWS account root user. An access key consists of two parts: an access key ID and a secret access key (pretty much like a user name and password). This is the user name part.
Secret Access Key – this is the password part of the access key. Select the Show Secret Access Key check box to view the password as open text.
Cloud Name - the name of the AWS cloud to connect to. Currently, only the following options are available:
AWS
AWS-US-GOV
AWS-CN
Assume Role - the AWS Assume Role. For more details, refer to the AWS documentation, (see "Identity and Access Management (IAM) role").
Assume Role External ID - the external ID for an IAM role in AWS (Assume Role). This is something that you may want to use when you need to give access to your AWS resources to a third party. For more details, refer to the AWS documentation (see "Identity and Access Management (IAM) role").
Note
Before adding a New AWS connection, ensure that time on the CipherTrust Manager and AWS is in sync. To change the time on the CipherTrust Manager, run the date
or timedatectl
command.
Managing AWS Connections using ksctl
The following operations can be performed:
Create/Get/Update/Delete an AWS connection
List all AWS connections
Test an existing AWS connection
Test the new AWS connection parameters before establishing the connection
Creating a AWS Connection
To create a AWS connection, run:
Syntax
ksctl connectionmgmt aws create --name <connection-name> --clientid <access-key-id> --secret <aws-client-secret> --assumerolearn <assume-role-arn> --assumeroleexternalid <assume-role-external-id> --cloudname <cloud-name> --description <description> --meta <key:value> --products <products-names> --json-file <connection-information-in-JSON-format-via-file>
Example
ksctl connectionmgmt aws create --name aws-connection --clientid AKIAJBLNQGTQFOWDRSRQ --secret DHZc9bi/rrJZW3PRfWrkgn3KYVMDyI1bnedKPmlwU
Response
{
"id": "7b736162-3330-49f3-b631-044e107df033",
"uri": "kylo:kylo:connectionmgmt:connections:aws-connection-7b736162-3330-49f3-b631-044e107df033",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-08-17T08:46:58.29948682Z",
"channel": "",
"updatedAt": "2022-08-17T08:46:58.296588992Z",
"service": "aws",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "aws-connection",
"access_key_id": "AKIAJBLNQGTQFOWDRSRQ",
"cloud_name": "aws",
"aws_sts_regional_endpoints": "legacy",
"aws_region": "us-east-1"
}
Getting Details of an AWS Connection
To get details of an AWS connection, run:
Syntax
ksctl connectionmgmt aws get --id <connection-name/Id>
Example
ksctl connectionmgmt aws get --id 5c7a0dab-6358-42dd-8809-257a96f0c010
Response
{
"id": "5c7a0dab-6358-42dd-8809-257a96f0c010",
"uri": "kylo:kylo:connectionmgmt:connections:aws-connection-5c7a0dab-6358-42dd-8809-257a96f0c010",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-08-22T08:35:45.766632Z",
"updatedAt": "2022-08-22T08:43:25.392906Z",
"service": "aws",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "aws-connection",
"access_key_id": "AKIAJBLNQGTQFOWDRSRQ",
"cloud_name": "aws",
"aws_sts_regional_endpoints": "legacy",
"aws_region": "us-east-1"
}
Updating an AWS Connection
To update an AWS connection, run:
Syntax
ksctl connectionmgmt aws modify --id <connection-name/Id> --clientid <access-key-id> --secret <aws-client-secret> --assumerolearn <assume-role-arn> --assumeroleexternalid <assume-role-external-id> --cloudname <cloud-name> --description <description> --meta <key:value> --products <products-names> --json-file <connection-information-in-JSON-format-via-file>
Example
ksctl connectionmgmt aws modify --id 5c7a0dab-6358-42dd-8809-257a96f0c010 --clientid newclientid
Response
{
"id": "5c7a0dab-6358-42dd-8809-257a96f0c010",
"uri": "kylo:kylo:connectionmgmt:connections:aws-connection-5c7a0dab-6358-42dd-8809-257a96f0c010",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-08-22T08:35:45.766632Z",
"updatedAt": "2022-08-22T08:42:46.803919148Z",
"service": "aws",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "aws-connection",
"access_key_id": "newclientid",
"cloud_name": "aws",
"aws_sts_regional_endpoints": "legacy",
"aws_region": "us-east-1"
}
Deleting an AWS Connection
To delete an AWS connection, run:
Syntax
ksctl connectionmgmt aws get --id <connection-name/Id>
Example
ksctl connectionmgmt aws get --id 5c7a0dab-6358-42dd-8809-257a96f0c010
There will be no response if the AWS connection is deleted successfully.
Getting List of AWS Connections
To list all the AWS connections, run:
Syntax
ksctl connectionmgmt aws list
Example
ksctl connectionmgmt aws list
Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "5c7a0dab-6358-42dd-8809-257a96f0c010",
"uri": "kylo:kylo:connectionmgmt:connections:aws-connection-5c7a0dab-6358-42dd-8809-257a96f0c010",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-08-22T08:35:45.766632Z",
"updatedAt": "2022-08-22T08:43:25.392906Z",
"service": "aws",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "aws-connection",
"access_key_id": "AKIAJBLfdgTQFOWDRSRQ",
"cloud_name": "aws",
"aws_sts_regional_endpoints": "legacy",
"aws_region": "us-east-1"
}
]
}
Testing an Existing AWS Connection
To test an existing AWS connection, run:
Syntax
ksctl connectionmgmt aws test --id <connection-name/Id>
Example
ksctl connectionmgmt aws test --id 5c7a0dab-6358-42dd-8809-257a96f0c010
Response
{
"connection_ok": true
}
Testing a New AWS Connection
To test the parameters of a new AWS connection, run:
Syntax
ksctl connectionmgmt aws test --clientid <access-key-id> --secret <aws-client-secret> --assumerolearn <assume-role-arn> --assumeroleexternalid <assume-role-external-id> --cloudname <cloud-name>
Example
ksctl connectionmgmt aws create --name aws-connection --clientid AKIAJBLNQGTQFOWDRSRQ --secret DHZc9bi/rrJZW3PRfWrkgn3KYVMDyI1bnedKPmlwU
Response
{
"connection_ok": true
}