Alternate Authentication options for the VMware Aria Operations (SaaS) AWS Management pack
search cancel

Alternate Authentication options for the VMware Aria Operations (SaaS) AWS Management pack

book

Article ID: 331414

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Starting in October 2023 VMware Aria Operations (SaaS) update, support for IAM Role Based Access and AWS Instance Profile Based Access has been added as alternative authentication options for the AWS Management Pack.

Note: Please be aware that these two authentication mechanisms are only supported for VMware Aria Operations (SaaS).

Below is a brief overview of both approaches.
Quick Links:

The Basics - Identity and Access Management (IAM) Roles and Delegation

  • IAM Role

    • IAM role is an IAM identity created in an AWS Account.
    • IAM role will have permission policy associated with it.  The permissions policy determine what the role CAN do and CANNOT do in AWS.
    • An IAM Role can be assumed by anyone who needs it.
    • When an IAM role is assumed, it provides a temporary security credentials for the role session.
    • An IAM role does not have the standard long term credentials associated with it.

  • Delegation

    • Delegation is a way of granting permissions to some user/entity in one AWS account to allow access to the resources that are owned by a different AWS account.
    • Delegation involves setting up a trust between two accounts.  The first is the account that owns the resource (the trusting account) and the second is the account that contains the users that need to access the AWS resources (the trusted account).
    • The trusted and trusting accounts can be any of the following:
      • The same account.
      • Separate accounts that are both under the same organization.
      • Two accounts owned by different organizations.
 

IAM Role based access - Overview

Consider the scenario where an application is running in AWS (AWS Account 1).  This application needs to query the AWS services belonging to
another AWS account (AWS Account 2).
Typically, this is possible by creating an IAM user access key and secret key in AWS Account 2 and share it with the application running in AWS Account 1.
With IAM Role based access we can perform this cross account access without using the static access key/secret.
This is done by creating an IAM role in AWS Account 2.  This role should have both
  1. A permissions policy (basic IAM permissions to access the services).
  2. A trust policy. This trust policy must have AWS Account 1 as the trusted principal.
Once the IAM role is created in AWS Account 2, the application that is running in AWS Account 1 can "assume" this role to gain access to the resources in AWS Account 2.

Using AWS IAM Role based access in the VMware Aria Operations (SaaS) AWS Management pack

Note 1: The IAM Role based access authentication mechanism is supported only in VMware Aria Operations (SaaS).
Note 2: The permission policy is attached. (RoleBasedAccess-CUST_1_PermissionsPolicyAWSMP.txt)
Note 3: The trust policy format is attached. Replace the <VMware AWS Account Number> and <Customer Defined External Id> in the document with the appropriate values. (RoleBasedAccess-CUST_2_TrustPolicyAWSMP.txt)
Note 4: The IAM role to attach to the EC2 instance in which VMware Aria Operations (SaaS) is deployed is attached (RoleBasedAccess-VMW_SRE_IAMRole_AttachTo_EC2Instance.txt)
    
VMware Aria Operations (SaaS) deployments are in VMware's AWS Account (say, AWS Account 1) and the AWS management pack can be used to monitor the AWS resources in Customer's AWS Account (AWS Account 2).
To enable the cross account access in this case, the Customer AWS Account (AWS Account 1) should trust the VMware's AWS Account (AWS Account 2).
    

Customer Action Items

In the Customer's AWS Account, an IAM Role must be created that contains the below two policies:
  • A permission policy that contains the IAM permissions required by the AWS Management pack (Refer Note 2).
  • A trust policy (Refer Note 3) that contains 
    • The principal to trust (In this case, the principal must be the VMware AWS Account Number provided by the VMware SRE team).
    • ExternalId, a Customer defined string.
Once the IAM Role is created, note down the IAM Role ARN and the ExternalId.  This information will be required to configure the AWS Management Pack in VMware Aria Operations (SaaS).
    

VMware SRE team Action Items

The AWS Management Pack must "assume" the IAM Role created by Customers to perform collections.  This is implemented by invoking the AWS STS "AssumeRole" API call.
To make this API call happen, the VMware SRE team must attach a IAM role having the appropriate privileges to the EC2 instance(s) in which VMware Aria Operations (SaaS) is running (Refer Note 4).
    
See Configure IAM Role Based Access below for more details.
 

AWS Instance profile based access - Overview

Note 1: This authentication mechanism is meant to support the VMware SRE use cases.
Note 2: The permission policy is attached (InstanceProfileBasesAccess_PermissionsPolicyAWSMP.txt).

AWS Instance profile based authentication is used in scenarios where an application that runs in an EC2 Instance needs access to other AWS services belonging to the same account.
By attaching a role (with the required IAM permissions) to the EC2 instance in which the application is running, the application will be able to query the services and/or metrics without using any access key/secret.

We support this authentication mode, primarily to support the VMware SRE use cases where the SRE team uses VMware Aria Operations (SaaS) to monitor our own AWS infrastructure.
In this scenario, the AWS account in which the VMware Aria Operations (SaaS) is deployed and the AWS account to be monitored will be the same.

Using AWS Instance profile based access in the VMware Aria Operations (SaaS) AWS Management pack

To use Instance profile based access in the VMware Aria Operations (SaaS) AWS Management Pack, the SRE team must do the following:
  1. Define an IAM role with a permission policy.
  2. Attach the IAM role created above to the EC2 instances in which VMware Aria Operations (SaaS) is running.
See Configure Instance Profile Based Access below for more details.

Resolution

Follow the steps below to create the required roles and policies via the AWS Console.

Quick Links:  

Configure IAM Role Based Access

These steps are required for IAM Role based Access.

Steps to create IAM Role with permissions policy and trust policy

Steps to create IAM Role with permissions policy and trust policy in the AWS Account to be monitored by the VMware Aria Operations (SaaS) AWS Management Pack.
  1. Login to Amazon AWS console.
  2. Navigate to Identity and Access Management (IAM) service and click on Policies.
  3. Click on Create Policy.  In the Specify Permissions, click on JSON.
  4. In the policy editor page, remove all existing content and paste the contents of the RoleBasedAccess-CUST_1_PermissionsPolicyAWSMP.txt file attached.
  5. Click Next.
  6. Give a name for the policy.
Example: Ariaops-aws-mp-permissions-policy
  1. (Optional) Give a description.
  2. (Optional) Click Add tag to add tag.
  3. Click Create Policy.
  4. Click on Roles.
  5. Click on Custom Trust Policy in the Select trusted entity.
  6. In the custom trust policy editor window, remove all the content that is present and paste the contents of the RoleBasedAccess-CUST_2_TrustPolicyAWSMP.txt file attached.  Insert the AWS Account ID provided by the VMware SRE team in place of <AWS_ACCOUNT_ID>.  Insert a custom string (something unique to the organization) in place of <EXTERNAL_ID>.
  7. Click Next.
  8. in the Add permissions page select the permissions policy created in step 6 above.
  9. Click Next.
  10. Give a role name and optional Tags.
  11. Note down the Role ARN and External ID since these are required while configuring the AWS Management Pack in VMware Aria Operations (SaaS).
 

Steps to create IAM role to be attached to the EC2 instance

Steps to create IAM role to be attached to the EC2 instance in which VMware Aria Operations (SaaS) is deployed.
These steps are to be done by the VMware SRE team.
Note: This is a pre-requisite to enable the AssumeRole action.
  1. Login to Amazon AWS console.
  2. Navigate to Identity and Access Management (IAM) service and click on Policies.
  3. Click on Create Policy.  In the Specify Permissions, click on JSON.
  4. In the policy editor page, remove all existing content and paste the contents of the RoleBasedAccess-VMW_SRE_IAMRole_AttachTo_EC2Instance.txt file attached.
  5. Click Next.
  6. Give a name for the policy.
Example: aria-ops-ec2-instance-policy
  1. (Optional) Give a description.
  2. (Optional) Click Add tag to add tags.
  3. Click Create Policy.
  4. Click on Roles.
  5. Click on AWS Service in the Select trusted entity.
  6. Select EC2 from the list of services and click Next.
  7. Select the policy created in step 6 above and click Next.
  8. Give a role name and optional tags.
Examplearia-ops-ec2-instance-instance-profile-role
  1. Click Create Role.
 

Attach a role to EC2 Instance

Attach a role to EC2 Instance in which VMware Aria Operations (SaaS) is running.
These steps are to be done by the VMware SRE team.
  1. Identify the EC2 instance where VMware Aria Operations (SaaS) is deployed.
  2. Click on the EC2 instance, select Actions and select Security > Modify IAM Role
  3. Select the Role, aria-ops-ec2-instance-instance-profile-role created in step 14 above.
  4. Click Update IAM Role.

Configure Instance Profile Based Access

These steps are required for Instance Profile based Access.

Steps to create IAM Role with permissions policy

Steps to create IAM Role with permissions policy required for the Instance profile authentication mode.
  1. Login to Amazon AWS console
  2. Navigate to Identity and Access Management (IAM) service and click on Policies
  3. Click on Create Policy. In the "Specify Permissions", click on "JSON"
  4. In the policy editor page, remove all existing content and paste the contents of "InstanceProfileBasesAccess_PermissionsPolicyAWSMP.txt" attached
  5. Click next
  6. Give a name for the policy, say - Ariaops-aws-mp-permissions-policy-instance-profile 
  7. (Optional) Give a description.
  8. (Optional) Click Add tag to add tag.
  9. Click Create Policy.
  10. Click on Roles.
  11. Click on AWS Service in the Select trusted entity.
  12. Select EC2 from the list of services and click Next.
  13. Select the policy created in step 6 above and click Next.
  14. Give a role name and optional Tags.

Attach a role to EC2 Instance

Attach a role to EC2 Instance in which VMware Aria Operations (SaaS) is running.
This step is to be done by the VMware SRE team.
  1. Identify the EC2 instance where VMware Aria Operations (SaaS) is deployed.
  2. Click on the EC2 instance, select Actions and select Security > Modify IAM Role
  3. Select the Role, Ariaops-aws-mp-permissions-policy-instance-profile created in step 6 above.
  4. Click Update IAM Role.


Attachments

RoleBasedAccess-VMW_SRE_IAMRole_AttachTo_EC2Instance get_app
RoleBasedAccess-CUST_1_PermissionsPolicyAWSMP get_app
RoleBasedAccess-CUST_2_TrustPolicyAWSMP get_app
InstanceProfileBasesAccess_PermissionsPolicyAWSMP get_app
Powered by Wolken Software