Amazon Web Services (AWS)
AWS connections to the CipherTrust Manager can be configured using the following:
Note
Before adding a New AWS connection, ensure that time on the CipherTrust Manager and AWS is in sync. To change the time on the CipherTrust Manager, use the NTP server or run the date
or timedatectl
command.
When creating an AWS connection, you can specify the AWS Security Token Service (AWS STS) endpoints. By default, the AWS STS is available as a global service, and all AWS STS requests go to a single endpoint at https://sts.amazonaws.com. The global requests map to the US East (N. Virginia) Region, us-east-1
.
The valid values are:
Legacy (default): Uses the global AWS STS endpoint, sts.amazonaws.com.
Regional: The SDK or tool always uses the AWS STS endpoint for the currently configured Region. This is the recommended setting to reduce latency, build in redundancy, and increase session token validity.
To know more about AWS STS, refer to Managing AWS STS in an AWS Region.
Note
When the CipherTrust Manager is in AWS VPC (that is, connectivity to the global AWS STS endpoint is unavailable), for creating IAM Roles Anywhere connections, you need to create:
Endpoints for STS, EC2, KMS, and IAM role.
Regional AWS connection with the same region from where the CipherTrust Manager instance is launched.
When connectivity to the global AWS STS endpoint is unavailable, set
aws_sts_regional_endpoints
to a reachable regional AWS STS endpoint.
Managing AWS Connections using GUI
Access Key ID - an access key is a long-term credential for an AWS account root user. An access key consists of two parts: an access key ID and a secret access key (pretty much like a user name and password). This is the user name part.
Secret Access Key – this is the password part of the access key. Select the Show Secret Access Key check box to view the password as open text.
Cloud Name - the name of the AWS cloud to connect to. Currently, only the following options are available:
AWS
AWS China
AWS-US-GOV
AWS STS Regional Endpoints - Specify the AWS STS endpoints.
Assume Role - the AWS Assume Role. For more details, refer to the AWS documentation.
Assume Role External ID - the external ID for an IAM role in AWS (Assume Role). This is something that you may want to use when you need to give access to your AWS resources to a third party. For more details, refer to the AWS documentation.
For IAM Roles Anywhere, select the IAM Roles Anywhere checkbox and provide the following information:
Cloud Name - the name of the AWS cloud to connect to. Currently, only the following options are available:
AWS
AWS China
AWS STS Regional Endpoints - Specify the AWS STS endpoints.
Assume Role - the AWS Assume Role. For more details, refer to the AWS documentation.
Assume Role External ID - the external ID for an IAM role in AWS (Assume Role). This is something that you may want to use when you need to give access to your AWS resources to a third party. For details, refer to AWS documentation.
Click next to proceed to IAM Configuration tab and provide the following details:
Certificate - either upload the external certificate or paste the certificate content.
File Upload - select and click Certificate Upload to upload the certificate from your machine.
Text - select and paste the certificate content in the text field.
Private Key - specify the private key associated with the certificate.
Role - specify AWS IAM Anywhere Role ARN.
Profile - specify AWS IAM Anywhere Profile ARN.
Trust Anchor - specify AWS IAM Anywhere Trust Anchor ARN.
Click Test Credentials to check whether the connection is configured correctly. If the test is successful, the status is OK
else the status is Fail
.
Click Next to move to the Add Products screen of the Add Connection wizard.
Managing AWS Connections using ksctl
When you interact with AWS, you specify your AWS security credentials to verify who you are and whether you have permission to access the resources that you are requesting. AWS uses the security credentials to authenticate and authorize your requests.
There are different types of users in AWS. All AWS users have security credentials. There is the account owner (root user), users in AWS IAM Identity Center (successor to AWS Single Sign-On), federated users, and IAM users.
Users can have either long-term or temporary security credentials. For more details, refer to AWS security credentials.
The following operations can be performed:
Create/Get/Update/Delete an AWS connection
List all AWS connections
Test an existing AWS connection
Test the new AWS connection parameters before establishing the connection
Creating an AWS Connection
In AWS, the Root user, IAM user, and access keys have long-term security credentials that do not expire. Long-term credentials are persistent and can be used to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. It's important to note that these credentials have significant power and should be protected and managed carefully, as they provide full access to the associated AWS account.
When creating an AWS connection, you can specify the AWS Security Token Service (AWS STS) endpoints.
Syntax
ksctl connectionmgmt aws create --name <connection-name> --clientid <access-key-id> --secret <aws-client-secret> --assumerolearn <assume-role-arn> --assumeroleexternalid <assume-role-external-id> --cloudname <cloud-name> --description <description> --meta <key:value> --products <products-names> --json-file <connection-information-in-JSON-format-via-file>
Example
ksctl connectionmgmt aws create --name aws-connection --clientid AKIAJBLNQGTQFOWDRSRQ --secret DHZc9bi/rrJZW3PRfWrkgn3KYVMDyI1bnedKPmlwU
Response
{
"id": "7b736162-3330-49f3-b631-044e107df033",
"uri": "kylo:kylo:connectionmgmt:connections:aws-connection-7b736162-3330-49f3-b631-044e107df033",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-08-17T08:46:58.29948682Z",
"channel": "",
"updatedAt": "2022-08-17T08:46:58.296588992Z",
"service": "aws",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "aws-connection",
"access_key_id": "AKIAJBLNQGTQFOWDRSRQ",
"cloud_name": "aws",
"aws_sts_regional_endpoints": "legacy",
"aws_region": "us-east-1"
}
The AWS Identity and Access Management (IAM) Roles Anywhere enables obtaining temporary security credentials in IAM for AWS resources such as servers, containers, and applications. The temporary security credentials are short-term and not stored with the user but are generated dynamically and provided to the user when requested. This simplifies the signing process for the applications. For more details, refer to What is AWS Identity and Access Management Roles Anywhere & Temporary security credentials in IAM. To create an AWS connection of type IAM Roles Anywhere, run:
Syntax
ksctl connectionmgmt aws create --name <connection-name> --iamroleanywhere <path-to-json-file> --isroleanywhere true
The iamroleanywhere
field defines the parameters required to create a connection of type IAM Roles Anywhere. These parameters are:
anywhere_role_arn
- AWS IAM Anywhere Role ARN.certificate
- The external certificate for AWS IAM Anywhere Cloud connections.profile_arn
- AWS IAM Anywhere Profile ARN.trust_anchor_arn
- AWS IAM Anywhere Trust Anchor ARN.private_key
- The private key associated with the certificate.
Note
When the trust_anchor_arn
is created using a certificate issued from the CA of the CipherTrust Manager, private_key
is not required while creating an AWS connection on the same CipherTrust Manager.
The iamroleanywhere
fields are defined in the below "iamanywhere.json" file.
Set the isroleanywhere
parameter to true
to create connections of type AWS IAM Anywhere with temporary credentials.
Example
ksctl connectionmgmt aws create --name testconnection --iamroleanywhere iamanywhere.json --isroleanywhere true
Response
{
"id": "740cff5c-44a1-4006-9e1c-d51e9ae0f4de",
"uri": "kylo:kylo:connectionmgmt:connections:testcon-740cff5c-44a1-4106-9e1c-d51e9ae0f4de",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-05T06:24:18.164586919Z",
"updatedAt": "2023-05-05T06:24:18.155392895Z",
"service": "aws",
"category": "cloud",
"last_connection_ok": null
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "testcon",
"cloud_name": "aws",
"aws_sts_regional_endpoints": "legacy",
"aws_region": "us-east-1",
"is_role_anywhere": true,
"iam_role_anywhere": {
"certificate": "-----BEGIN CERTIFICATE-----\nMIICATCCAYagAwIBAgIUVMghsopD+cgubEYjpvB96oOeSHwwCgYIKoZIzj0EAwQw\nXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhOZXcgWW9yazEP\nMA0GA1UEChMGVzMQwwCgYDVQQLEwNESVMxDzANBgNVBAMTBlRoYWxlczAe\nFw0yMzAxMDMxMDE1NTBaFw0yNDAxMDMxMDE1NTBaMEQxCzAJBgNVBAYTAlVTMQ8w\nDQYDVQQKDAZUaGFsZXMxEzARBgNVBAMMClRoYWxlcy5jb20xDzANBgNVBAsMBkRJ\nU19EUzB2MBAGByqGBSuBBAAiA2IABIt5e3BVMVAdNfTGslhkhbLlqJiA\nvO0ECgAlClTwzILZalsczZ0256PVWD9+q4DXRXVzUSKMHJTvD2dfxzU3Ze9AP92h\nz7PXr+AiBcyoz03kcqd4eInt8cVbI8iA0yk1xqMgMB4wDAYDVR0TAQH/BAIwADAO\nBgNVHQ8BAf8EBAMCB4AwCgYIKoZIzj0EAwQDaQAwZgIxAO3YZ5spj2Nnkb5ycuI0\nsz4CYbt5/Akw6XCIkj676ExyhRlBHs3MnYocD1dqJIHbcgIxAPbMcFe0ntWfe+hm\nsGYqabQmzwJaewriq3qmmThs8MPx8k7F9N6sKdiC7fI8d2XAsA==\n-----END CERTIFICATE-----",
"trust_anchor_arn": "arn:aws:rolesanywhere:us-east-1:306778697945:trust-anchor/944e70c0-a0b9-4cb9-97fd-0b8ff46d43ad",
"profile_arn": "arn:aws:rolesanywhere:us-east-1:306778697945:profile/0d90fe36-1977-4ff8-886d-8c84b5a922ed",
"anywhere_role_arn": "arn:aws:iam::306778697945:role/RolesAnywhere_Tester"
}
}
iamanywhere.json
{
"anywhere_role_arn": "arn:aws:iam::301888698005:role/RolesAnywhere_Test",
"profile_arn": "arn:aws:rolesanywhere:us-east-1:306778600005:profile/0d90fe36-1977-4ff8-886d-8c84b5a922ed",
"trust_anchor_arn": "arn:aws:rolesanywhere:us-east-1:300008697945:trust-anchor/988e70c0-a0b9-4cb9-97fd-0b8ff46d53ad",
"certificate": "-----BEGIN CERTIFICATE-----\nMIICATCCAYagAwIBAgIUVMghsopD+cgubEYjpvB96oOeSHwwCgYIKoZIzj0EAwQw\nXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhOZXcgWW9yazEP\nMA0GA1UEChMGVGhhbGVzMQwwCgYDVQQLEwNESVMxDzANBgNVBAMTBlRoYWxlczAe\nFw0yMzAxMDMxMDE1NTBaFw0yNDAxMDMxMDE1NTBaMECzAJBgNVBAYTAlVTMQ8w\nDQYDVQQKDAZUaGFsZXMxEzARBgNVBAMMClRoYWxlcy5jb20xDzANBgNVBAsMBkRJ\nU19EUzB2MBAGBqGSM49AgEGBSuBBAAiA2IABIt5e3BVMVAdNfTGslhkhbLlqJiA\nvO0ECgAlClTwzILZalsczZ0256PVWD9+q4DXRXVzUSKMHJTvD2dfxzU3Ze9AP92h\nz7PXr+AiBcyoz03kcqd4eInt8cVbI8iA0yk1xqMgMB4wDAYDVR0TAQH/BAIwADAO\nBgNVHQ8BAf8EBAMCB4AwCgYIKoZIzj0EAwQDaQAwZgIxAO3YZ5spj2Nnkb5ycuI0\nsz4CYbt5/Akw6XCIkj676ExyhRlBHs3MnYocD1dqJIHbcgIxAPbMcFe0ntWfe+hm\nsGYqabQmzwJaewriq3qmmThs8MPx8k7F9N6sKdiC7fI8d2XAsA==\n-----END CERTIFICATE-----",
"private_key": "-----BEGIN EC PARAMETERS-----\nBgUrgQQAIg==\n-----END EC PARAMETERS-----\n-----BEGIN EC PRIVATEKEY-----\nMIGkAgEBBDBZ2dIjpkmoQ5JGNjpHq0rdzKOFRDjP3nCSLhlZtrLDrhREY3CGiqX\nc/7hJFA49pugBwYFK4EEACKhZANiAASLeXtwVTFQHTX0xrJYZIWy5aiYgLztBAoA\nJQpU8MyC2WpbHM2dNuej1Vg/fquA10V1c1EijByU7w9nX8c1N2XvQD/doc+z16/g\nIgXMqM9N5HKneHiJ7fHFWyPIgNMpNcY=\n-----END EC PRIVATE KEY-----"
}
When creating an AWS connection, you can specify the AWS Security Token Service (AWS STS) endpoints. By default, the AWS STS is available as a global service, and all AWS STS requests go to a single endpoint at https://sts.amazonaws.com. The global requests map to the US East (N. Virginia) Region, us-east-1
.
The valid values are:
Legacy (default): Uses the global AWS STS endpoint, sts.amazonaws.com.
Regional: The SDK or tool always uses the AWS STS endpoint for the currently configured Region. This is the recommended setting to reduce latency, build in redundancy, and increase session token validity.
To know more about AWS STS, refer to Managing AWS STS in an AWS Region.
Note
When connectivity to the global AWS STS endpoint is unavailable, set aws_sts_regional_endpoints
to a reachable regional AWS STS endpoint.
Syntax
ksctl connectionmgmt aws create --name <connection-name> --clientid <access-key-id> --secret <aws-client-secret> --assumerolearn <assume-role-arn> --assumeroleexternalid <assume-role-external-id> --cloudname <cloud-name> --description <description> --meta <key:value> --products <products-names> --json-file <connection-information-in-JSON-format-via-file>
Example
ksctl connectionmgmt aws create --name aws-connection --clientid AKIAJBLNQGTQFOWDRSRQ --secret DHZc9bi/rrJZW3PRfWrkgn3KYVMDyI1bnedKPmlwU
Response
{
"id": "7b736162-3330-49f3-b631-044e107df033",
"uri": "kylo:kylo:connectionmgmt:connections:aws-connection-7b736162-3330-49f3-b631-044e107df033",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-08-17T08:46:58.29948682Z",
"channel": "",
"updatedAt": "2022-08-17T08:46:58.296588992Z",
"service": "aws",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "aws-connection",
"access_key_id": "AKIAJBLNQGTQFOWDRSRQ",
"cloud_name": "aws",
"aws_sts_regional_endpoints": "legacy",
"aws_region": "us-east-1"
}
Getting Details of an AWS Connection
To get details of an AWS connection, run:
Syntax
ksctl connectionmgmt aws get --id <connection-name/Id>
Example
ksctl connectionmgmt aws get --id 5c7a0dab-6358-42dd-8809-257a96f0c010
Response
{
"id": "5c7a0dab-6358-42dd-8809-257a96f0c010",
"uri": "kylo:kylo:connectionmgmt:connections:aws-connection-5c7a0dab-6358-42dd-8809-257a96f0c010",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-08-22T08:35:45.766632Z",
"updatedAt": "2022-08-22T08:43:25.392906Z",
"service": "aws",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "aws-connection",
"access_key_id": "AKIAJBLNQGTQFOWDRSRQ",
"cloud_name": "aws",
"aws_sts_regional_endpoints": "legacy",
"aws_region": "us-east-1"
}
Updating an AWS Connection
Note
When updating an AWS connection, you cannot update the connection type. That is, a connection generated with short-term credentials cannot be updated with the long-term credentials and vice versa.
To update an AWS connection, run:
Syntax
ksctl connectionmgmt aws modify --id <connection-name/Id> --clientid <access-key-id> --secret <aws-client-secret> --assumerolearn <assume-role-arn> --assumeroleexternalid <assume-role-external-id> --cloudname <cloud-name> --description <description> --meta <key:value> --products <products-names> --json-file <connection-information-in-JSON-format-via-file>
Example
ksctl connectionmgmt aws modify --id 5c7a0dab-6358-42dd-8809-257a96f0c010 --clientid newclientid
Response
{
"id": "5c7a0dab-6358-42dd-8809-257a96f0c010",
"uri": "kylo:kylo:connectionmgmt:connections:aws-connection-5c7a0dab-6358-42dd-8809-257a96f0c010",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-08-22T08:35:45.766632Z",
"updatedAt": "2022-08-22T08:42:46.803919148Z",
"service": "aws",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "aws-connection",
"access_key_id": "newclientid",
"cloud_name": "aws",
"aws_sts_regional_endpoints": "legacy",
"aws_region": "us-east-1"
}
To update an AWS connection of type IAM Roles Anywhere, run:
Syntax
ksctl connectionmgmt aws modify --id <connection-name/id> --iamroleanywhere <path-to-json-file>
Example
ksctl connectionmgmt aws modify --id 5da3c67e-8f28-4468-b733-709c0367cee2 --iamroleanywhere update.json
Response
{
"id": "740cff5c-44a1-4006-9e1c-d51e9ae0f4de",
"uri": "kylo:kylo:connectionmgmt:connections:testcon-740cff5c-44a1-4106-9e1c-d51e9ae0f4de",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-05T06:24:18.164586919Z",
"updatedAt": "2023-05-05T06:24:18.155392895Z",
"service": "aws",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "testcon",
"cloud_name": "aws",
"aws_sts_regional_endpoints": "legacy",
"aws_region": "us-east-1",
"is_role_anywhere": true,
"iam_role_anywhere": {
"certificate": "-----BEGIN CERTIFICATE-----\nMIICATCCAYagAwIBAgIUVMghsopD+cgubEYjpvB96oOeSHwwCgYIKoZIzj0EAwQw\nXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhOZXcgWW9yazEP\nMA0GA1UEChMGVzMQwwCgYDVQQLEwNESVMxDzANBgNVBAMTBlRoYWxlczAe\nFw0yMzAxMDMxMDE1NTBaFw0yNDAxMDMxMDE1NTBaMEQxCzAJBgNVBAYTAlVTMQ8w\nDQYDVQQKDAZUaGFsZXMxEzARBgNVBAMMClRoYWxlcy5jb20xDzANBgNVBAsMBkRJ\nU19EUzB2MBAGByqGBSuBBAAiA2IABIt5e3BVMVAdNfTGslhkhbLlqJiA\nvO0ECgAlClTwzILZalsczZ0256PVWD9+q4DXRXVzUSKMHJTvD2dfxzU3Ze9AP92h\nz7PXr+AiBcyoz03kcqd4eInt8cVbI8iA0yk1xqMgMB4wDAYDVR0TAQH/BAIwADAO\nBgNVHQ8BAf8EBAMCB4AwCgYIKoZIzj0EAwQDaQAwZgIxAO3YZ5spj2Nnkb5ycuI0\nsz4CYbt5/Akw6XCIkj676ExyhRlBHs3MnYocD1dqJIHbcgIxAPbMcFe0ntWfe+hm\nsGYqabQmzwJaewriq3qmmThs8MPx8k7F9N6sKdiC7fI8d2XAsA==\n-----END CERTIFICATE-----",
"trust_anchor_arn": "arn:aws:rolesanywhere:us-east-1:306778697945:trust-anchor/944e70c0-a0b9-4cb9-97fd-0b8ff46d43ad",
"profile_arn": "arn:aws:rolesanywhere:us-east-1:306778697945:profile/0d90fe36-1977-4ff8-886d-8c84b5a922ed",
"anywhere_role_arn": "arn:aws:iam::300000000000:role/RolesAnywhere"
}
}
update.json
{
"anywhere_role_arn": "arn:aws:rolesanywhere:us-east-1:306778697945:profile/00000000-0000-0000-0000-000000000000"
}
Deleting an AWS Connection
To delete an AWS connection, run:
Syntax
ksctl connectionmgmt aws get --id <connection-name/Id>
Example
ksctl connectionmgmt aws get --id 5c7a0dab-6358-42dd-8809-257a96f0c010
There will be no response if the AWS connection is deleted successfully.
Getting List of AWS Connections
To list all the AWS connections, run:
Syntax
ksctl connectionmgmt aws list
Example
ksctl connectionmgmt aws list
Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "5c7a0dab-6358-42dd-8809-257a96f0c010",
"uri": "kylo:kylo:connectionmgmt:connections:aws-connection-5c7a0dab-6358-42dd-8809-257a96f0c010",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-08-22T08:35:45.766632Z",
"updatedAt": "2022-08-22T08:43:25.392906Z",
"service": "aws",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "aws-connection",
"access_key_id": "AKIAJBLfdgTQFOWDRSRQ",
"cloud_name": "aws",
"aws_sts_regional_endpoints": "legacy",
"aws_region": "us-east-1"
}
]
}
To list all the AWS connections of type IAM Anywhere, run:
Syntax
ksctl connectionmgmt aws list --isroleanywhere true
Example
ksctl connectionmgmt aws list --isroleanywhere true
Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "e0036191-7c11-4c18-9152-dcfc6ab423b7",
"uri": "kylo:kylo:connectionmgmt:connections:demoiamanywhere-e0036191-7c11-4c18-9152-dcfc6ab423b7",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-08T08:49:23.134714Z",
"updatedAt": "2023-05-08T08:49:23.133589Z",
"service": "aws",
"category": "cloud",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "testconnection",
"meta": null,
"cloud_name": "aws",
"aws_sts_regional_endpoints": "legacy",
"aws_region": "us-east-1",
"is_role_anywhere": true,
"iam_role_anywhere": {
"certificate": "-----BEGIN CERTIFICATE-----\nMIICATCCAYagAwIBAgIUVMghsopD+cgubEYjpvB96oOeSHwwCgYIKoZIzjEAwQw\nXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhOZXcgWW9yazEP\nMA0GA1UEChMGVGhhbGVzMQwwCgYDVQQLEwNESVMxDzANBgNVBAMTBlRoYWxlczAe\nFw0yMzAxMDMxMDE1NTBaFw0yNDAxMDMxMDE1NTBaMEQxCzBgNVBAYTAlVTMQ8w\nDQYDVQQKDAZUaGFsZXMxEzARBgNVBAMMClRoYWxlcy5jb20xDzANBgNVBAsMBkRJ\nU19EUzB2MBAGByqGSM49AgEGBSuBBAAiA2IABIt5e3BVMVAdNfTGslhkhbLlqJiA\nvO0ECgAlClTwzILZalsczZ0256PVWDq4DXRXVzUSKMHJTvD2dfxzU3Ze9AP92h\nz7PXr+AiBcyoz03kcqd4eInt8cVbI8iA0yk1xqMgMB4wDAYDVR0TAQH/BAIwADAO\nBgNVHQ8BAf8EBAMCB4AwCgYIKoZIzj0EAwQDaQAwZgIxAO3YZ5spj2Nnkb5ycuI0\nsz4CYbt5/Akw6XCIkj676ExyhRlBHs3MnYocD1dqJIHbcgIxAPbMcFe0ntWfe+hm\nsGYqabQmzwJaewriq3qmmThs8MPx8k7F9N6sKdiC7fI8d2XAsA==\n-----END CERTIFICATE-----",
"trust_anchor_arn": "arn:aws:rolesanywhere:us-east-1:306778697945:trust-anchor/944e70c0-a0b9-4cb9-97fd-0b8ff46d43ad",
"profile_arn": "arn:aws:rolesanywhere:us-east-1:306778697945:profile/0d90fe36-1977-4ff8-886d-8c84b5a922ed",
"anywhere_role_arn": "arn:aws:iam::306778697945:role/RolesAnywhere_Tester"
}
}
]
}
Testing an Existing AWS Connection
To test an existing AWS connection, run:
Syntax
ksctl connectionmgmt aws test --id <connection-name/Id>
Example
ksctl connectionmgmt aws test --id 5c7a0dab-6358-42dd-8809-257a96f0c010
Response
{
"connection_ok": true
}
Testing a New AWS Connection
To test the parameters of a new AWS connection, run:
Syntax
ksctl connectionmgmt aws test --clientid <access-key-id> --secret <aws-client-secret> --assumerolearn <assume-role-arn> --assumeroleexternalid <assume-role-external-id> --cloudname <cloud-name>
Example
ksctl connectionmgmt aws create --name aws-connection --clientid AKIAJBLNQGTQFOWDRSRQ --secret DHZc9bi/rrJZW3PRfWrkgn3KYVMDyI1bnedKPmlwU
Response
{
"connection_ok": true
}
To test the parameters of a new AWS connection of type IAM Anywhere, run:
Syntax
ksctl connectionmgmt aws test --iamroleanywhere <path-to-json-file> --isroleanywhere true
Example
ksctl connectionmgmt aws test --iamroleanywhere iamanywhere.json --isroleanywhere true
iamanywhere.json
{
"iam_role_anywhere": {
"anywhere_role_arn": "arn:aws:iam::306778697945:role/RolesAnywhere_Test",
"profile_arn": "arn:aws:rolesanywhere:us-east-1:306778697700:profile/0d90fe36-1977-4ff8-886d-8c84b5a922ed",
"trust_anchor_arn": "arn:aws:rolesanywhere:us-east-1:306778670045:trust-anchor/944e70c0-a0b9-4cb9-97fd-0b8ff46d43ad",
"certificate": "-----BEGIN CERTIFICATE-----\nMIICATCCAYagAwIBAgIUVMghsopD+cgubEYjpvB96oOeSHwwCgYIKoZIzj0EAwQw\nXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhOZXcgWW9yazEP\nMA0GA1UEChMGVGhhbGVzMQwwCgYDVQQLEwNESVMxDzANBgNVBAMTBlRoYWxlczAe\nFw0yMzAxMDMxMDE1NTBaFw0yNDAMDMxMDE1NTBaMEQxCzAJBgNVBAYTAlVTMQ8w\nDQYDVQQKDAZUaGFsZXMxEzARBgNVBAMMClRoYWxlcy5jb20xDzANBgNVBAsMBkJ\nU19EUzB2MBAGByqGSMAgEGBSuBBAAiA2IABIt5e3BVMVAdNfTGslhkhbLlqJiA\nvO0ECgAlClTwzILZalsczZ0256PVWD9+q4DXRXVzUSKMHJTvD2dfxzU3Ze9AP92h\nz7PXr+AiBcyoz03kcqd4eInt8cVbI8iA0yk1xqMgMB4wDAYDVR0TAQH/BAIwADAO\nBgNVHQ8BAf8EBAMCB4AwCgYIKoZIzj0EAQDaQAwZgIxAO3YZ5spj2Nnkb5ycuI0\nsz4CYbt5/Akw6XCIkj676ExyhRlBHs3MnYocD1dqJIHbcgIxAPbMcFe0ntWfe+hm\nsGYqabQmzwJaewriq3qmmThs8MPx8k7F9N6sKdiC7fI8d2XAsA==\n-----END CERTIFICATE-----",
"private_key": "-----BEGIN EC PARAMETERS-----\nBgUrgQQAIg==\n-----END EC PARAMETERS-----\n-----BEGIN EC PRIVATE KEY-----\nMIGkAgEBBDBZ2dIjpkmoQ5JGNjpHq0rdz4KOFRbfbdfjP3nCSLhlZtrLDrhRCGiqX\nc/7hJFA49pugBwYFK4EEACKhZANiAASLeXtwVTFQHTX0xrJYZIWy5aiYgLztBAoA\nJQpU8MyC2WpbHM2dNuej1Vg/fquA10V1c1EijByU7w9nX8c1N2XvQD/doc+z16/g\nIgXMqM9N5HKneHiJ7fHFWyPIgNMpNcY=\n-----END EC PRIVATE KEY-----"
},
"is_role_anywhere": true
}
Response
{
"connection_ok": true
}