AWS (Instance Profile)

Last modified on November 12, 2024

Overview

This guide describes how to configure AWS as a cloud resource in StrongDM. This resource supports all the default authentication methods, except for static keys. The credential priority follows the same order as the AWS Management Console or EKS (Instance Profile) authentication.

The authentication modes are environment-loaded credentials, which can be one of the following:

  • AWS access keys in standard AWS environment variables on the gateway
  • AWS access keys configured as a standard AWS profile on the gateway
  • An EC2 instance profile or ECS profile linked to the host or container running the gateway

Prerequisites

  • Users need to have StrongDM Desktop (and/or the StrongDM CLI) and AWS CLI installed to access the cloud resource.
  • Your gateways or relays must be running at least version 31.10 to support usage of the AWS CLI to administer your AWS cloud.

Admin UI Setup

To add AWS (Instance Profile) as a StrongDM cloud resource in the Admin UI, use the following steps.

  1. Log in to the Admin UI.
  2. Go to Resources > Clouds.
  3. Click Add cloud.
  4. Select AWS (Instance Profile) as the Cloud Type.
  5. Set the remaining AWS (Instance Profile) configuration properties.
  6. Click Create to create and save the resource.

AWS (Instance Profile) properties

Configuration properties are visible when you add a cloud resource or when you click to view its settings. The following table describes the settings available for AWS (Instance Profile) cloud resource types.

PropertyRequirementDescription
Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Cloud TypeRequiredSelect AWS (Instance Profile)
Secret StoreOptionalCredential store location; defaults to Strong Vault; learn more about Secret Store options
Enable Environment VariablesOptionalWhen selected, lets you use environment variables to authenticate connection even if EC2 roles are configured
Assume Role ARNOptionalAmazon Resource Name (ARN) role to assume after login (for example, arn:aws:iam::000000000000:role/RoleName)
RegionRequiredAWS region to connect to (for example, us-west-2)
Assume Role External IDOptionalExternal ID role to assume after login (for example 12345)
Resource TagsOptionalEnter tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

Secret Store options

By default, resource credentials are stored in the Strong Vault. However, these credentials also can be saved in a third-party secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown if they are created under Network > Secret Stores. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.

CLI Setup

To add AWS (Instance Profile) as a StrongDM cloud resource in the CLI (instead of the Admin UI), open your terminal.

While logged in to StrongDM, use the following command:

sdm admin clouds add awsinstanceprofile

You can view all help text and options by appending --help or -h to the same command:

NAME:
   sdm admin clouds add awsinstanceprofile - create AWS (Instance Profile) cloud

USAGE:
   sdm admin clouds add awsinstanceprofile [command options] <name>

OPTIONS:
   --bind-interface value          bind interface (default: "127.0.0.1")
   --egress-filter value           apply filter to select egress nodes e.g. 'field:name tag:key=value ...'
   --enable-environment-variables  Prefer environment variables to authenticate connection even if EC2 roles are configured.
   --port-override value           port profile override (default: -1)
   --region value                  The AWS region to connect to. (required)
   --role-arn value                The role to assume after logging in. (secret)
   --role-external-id value        (secret)
   --secret-store-id value         secret store id
   --subdomain value               This will be used as your local DNS address. (e.g. app-prod1 would turn into app-prod1.<your-org-name>.sdm.network)
   --tags value                    tags e.g. 'key=value,...'
   --template, -t                  display a JSON template
   --timeout value                 set time limit for command

Logs

In the Admin UI under Logs > Clouds, you can find a record of what your users did while accessing the cloud resource. Note that any secrets displayed in the cloud logs are placeholder values. No actual keys or secrets are ever exposed in plaintext in the Admin UI.

User Setup

In order to access the AWS (Instance Profile) cloud resource via StrongDM, users first need to do the following:

  1. Install the StrongDM Desktop application (desktop app).
  2. Install the latest version of the StrongDM CLI. If the CLI is already installed, you can run sdm update in the CLI to update it. Alternatively, in the desktop app, you can go to the menu and select Update and restart. That option is only shown when an update is available.
  3. Install the AWS CLI. We support both v1 and v2 but encourage the use of v2.
  4. Set up or update the AWS-CLI configuration file to include a region, as explained in the AWS documentation.
  5. Quit and restart your desktop app before connecting for the first time.
  6. In the desktop app, select the AWS (Instance Profile) cloud resource to which you want to connect.

Usage

After user setup is complete, you may open a terminal and use the AWS CLI through StrongDM, using the base syntax of sdm aws cli where you normally would start a command with aws.

The general syntax is sdm aws cli <COMMAND>.

To test that everything is working, try:

sdm aws cli s3 ls
sdm aws cli ec2 describe-instances

Commands are always the same as they are with the AWS CLI, just with the sdm aws cli prefix instead.

Connection to Multiple AWS (Instance Profile) Cloud Resources

If your organization has multiple AWS (Instance Profile) cloud resources, and you are connected to them at the same time, you may specify a --name value in commands in order to specify which you intend to execute the command on. For example, sdm aws --name <RESOURCE_NAME> cli. The flag must come before the cli portion of the command in order to preserve the ability to use the command as normal with a single AWS (Instance Profile) cloud resource connected.

Top