AWS (Instance Profile)
Last modified on November 12, 2024
Overview
This guide describes how to configure AWS as a cloud resource in StrongDM. This resource supports all the default authentication methods, except for static keys. The credential priority follows the same order as the AWS Management Console or EKS (Instance Profile) authentication.
The authentication modes are environment-loaded credentials, which can be one of the following:
- AWS access keys in standard AWS environment variables on the gateway
- AWS access keys configured as a standard AWS profile on the gateway
- An EC2 instance profile or ECS profile linked to the host or container running the gateway
This resource type is nearly the same as the AWS cloud resource type, except that it does not support static keys. Please see Configure AWS Cloud if you wish to use static keys to manage access to your AWS cloud environment via StrongDM.
This the method by which to set up your AWS cloud and manage it with the AWS CLI. If you intend to connect to a specific AWS-hosted resource, such as Athena or an EC2 instance, those resources need to be set up separately in the appropriate areas of the Admin UI.
Prerequisites
- Users need to have StrongDM Desktop (and/or the StrongDM CLI) and AWS CLI installed to access the cloud resource.
- Your gateways or relays must be running at least version 31.10 to support usage of the AWS CLI to administer your AWS cloud.
sdm aws cli ssm start-session
is not currently supported when using the AWS CLI via StrongDM due to an AWS technical limitation. If you wish to use ssm
sessions, you can set up the AWS Console resource type and use the web interface to initiate a session with ssm
.Admin UI Setup
To add AWS (Instance Profile) as a StrongDM cloud resource in the Admin UI, use the following steps.
- Log in to the Admin UI.
- Go to Resources > Clouds.
- Click Add cloud.
- Select AWS (Instance Profile) as the Cloud Type.
- Set the remaining AWS (Instance Profile) configuration properties.
- Click Create to create and save the resource.
AWS (Instance Profile) properties
Configuration properties are visible when you add a cloud resource or when you click to view its settings. The following table describes the settings available for AWS (Instance Profile) cloud resource types.
Property | Requirement | Description |
---|---|---|
Display Name | Required | Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >) |
Cloud Type | Required | Select AWS (Instance Profile) |
Secret Store | Optional | Credential store location; defaults to Strong Vault; learn more about Secret Store options |
Enable Environment Variables | Optional | When selected, lets you use environment variables to authenticate connection even if EC2 roles are configured |
Assume Role ARN | Optional | Amazon Resource Name (ARN) role to assume after login (for example, arn:aws:iam::000000000000:role/RoleName ) |
Region | Required | AWS region to connect to (for example, us-west-2 ) |
Assume Role External ID | Optional | External ID role to assume after login (for example 12345 ) |
Resource Tags | Optional | Enter tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev ) |
Secret Store options
By default, resource credentials are stored in the Strong Vault. However, these credentials also can be saved in a third-party secrets management tool.
Non-StrongDM options appear in the Secret Store dropdown if they are created under Network > Secret Stores. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.
CLI Setup
To add AWS (Instance Profile) as a StrongDM cloud resource in the CLI (instead of the Admin UI), open your terminal.
While logged in to StrongDM, use the following command:
sdm admin clouds add awsinstanceprofile
You can view all help text and options by appending --help
or -h
to the same command:
NAME:
sdm admin clouds add awsinstanceprofile - create AWS (Instance Profile) cloud
USAGE:
sdm admin clouds add awsinstanceprofile [command options] <name>
OPTIONS:
--bind-interface value bind interface (default: "127.0.0.1")
--egress-filter value apply filter to select egress nodes e.g. 'field:name tag:key=value ...'
--enable-environment-variables Prefer environment variables to authenticate connection even if EC2 roles are configured.
--port-override value port profile override (default: -1)
--region value The AWS region to connect to. (required)
--role-arn value The role to assume after logging in. (secret)
--role-external-id value (secret)
--secret-store-id value secret store id
--subdomain value This will be used as your local DNS address. (e.g. app-prod1 would turn into app-prod1.<your-org-name>.sdm.network)
--tags value tags e.g. 'key=value,...'
--template, -t display a JSON template
--timeout value set time limit for command
Logs
In the Admin UI under Logs > Clouds, you can find a record of what your users did while accessing the cloud resource. Note that any secrets displayed in the cloud logs are placeholder values. No actual keys or secrets are ever exposed in plaintext in the Admin UI.
User Setup
In order to access the AWS (Instance Profile) cloud resource via StrongDM, users first need to do the following:
- Install the StrongDM Desktop application (desktop app).
- Install the latest version of the StrongDM CLI. If the CLI is already installed, you can run
sdm update
in the CLI to update it. Alternatively, in the desktop app, you can go to the menu and select Update and restart. That option is only shown when an update is available. - Install the AWS CLI. We support both v1 and v2 but encourage the use of v2.
- Set up or update the AWS-CLI configuration file to include a region, as explained in the AWS documentation.
- Quit and restart your desktop app before connecting for the first time.
- In the desktop app, select the AWS (Instance Profile) cloud resource to which you want to connect.
Usage
After user setup is complete, you may open a terminal and use the AWS CLI through StrongDM, using the base syntax of sdm aws cli
where you normally would start a command with aws
.
The general syntax is sdm aws cli <COMMAND>
.
To test that everything is working, try:
sdm aws cli s3 ls
sdm aws cli ec2 describe-instances
Commands are always the same as they are with the AWS CLI, just with the sdm aws cli
prefix instead.
Connection to Multiple AWS (Instance Profile) Cloud Resources
If your organization has multiple AWS (Instance Profile) cloud resources, and you are connected to them at the same time, you may specify a --name
value in commands in order to specify which you intend to execute the command on. For example, sdm aws --name <RESOURCE_NAME> cli
. The flag must come before the cli
portion of the command in order to preserve the ability to use the command as normal with a single AWS (Instance Profile) cloud resource connected.