Credentials for discovering cloud resources

Discovery and Service Mapping customers need to configure credentials before they can discover AWS and Azure resources.

AWS credential requirements

The credentials required for the instance to access AWS accounts are the AWS account number, the access key ID, and the secret access key. Provide these credentials so that the instance can discover AWS accounts. If you are using IAM to manage users in AWS, you must create a user profile in IAM that is specifically designed for use by the instance.

Azure credential requirements

The credentials required for the instance to access Azure accounts are referred to as service principals. A service principal is the automated process, application, or service that the Azure admin configured to access the subscription that the admin specifies. Provide the credentials for your Azure service principal to the instance so that the it can discover the Azure subscriptions for your organization.

Note: You cannot copy encrypted fields like access keys from one instance to another.

Create AWS credentials

Create the credentials necessary to access your AWS accounts.

Before you begin

  • Role required: sn_cmp.cloud_admin
  • AWS account number, access key ID, secret access key

Procedure

  1. Navigate to Discovery > Credentials, and then select AWS Credentials.
  2. Use the following information to fill out the AWS Credentials form:
    Figure 1. AWS credentials
    AWS creds
    Table 1. AWS credentials form fields
    Field Input value
    Name Enter a unique and descriptive name for this credential. For example, you might call it AWS Main Account.
    Active Enable or disable these credentials for use.
    Access Key ID Enter the access key ID generated from the AWS Management Console, for example, APIAIOSFODNN7EXAMPLE.
    Secret Access Key Enter the secret access key ID generated from the AWS Management Console for example, wPalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
  3. Click Submit..

What to do next

Create a Service Account

Set up AWS Identity Access Management (IAM) users

If you are using IAM to manage users in AWS, you must create a user profile in IAM that is designed for use by the instance.

Before you begin

Familiarize yourself with the AWS documentation on IAM. You must know how to create an IAM user and set up a user policy.

Procedure

  1. Log in to the AWS Management Console and create a new user in IAM.
    You must have the access key automatically generated. You need this key when you configure AWS credentials in the instance.
  2. Save the Access Key ID and Secret Access Key.
  3. Open the user record in the instance for appropriate user.
  4. Define a user policy in AWS using either of the following methods:
    • Grant Administrator Access to the instance, which is essentially the same access that would be granted to the instance if you were not using IAM and simply used your AWS account Access Key ID and Secret Access Key. Attach the AdministratorAccess policy to the user profile.
      Note: If you want to create a user policy that only supports Discovery rather than the provisioning of cloud resources, attach the ReadOnlyAccess policy instead.
    • Create a custom policy with a descriptive name and the following code in the Policy Document field in the user policy:
      {
          "Version": "2012-10-17",
          "Statement": [{
              "Action": "cloudfront:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "s3:*",
              "Effect": "Allow",
              "Resource": "arn:aws:s3:::*"
          }, {
              "Action": "elasticloadbalancing:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "sqs:*",
              "Effect": "Allow",
              "Resource": "arn:aws:sqs:*"
          }, {
              "Action": "rds:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "sns:*",
              "Effect": "Allow",
              "Resource": "arn:aws:sns:*"
          }, {
              "Action": "ec2:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "cloudformation:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "directconnect:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "route53:*",
      
              "Effect": "Allow",
              "Resource": "arn:aws:route53:::*"
          }, {
              "Action": ["iam:DeleteServerCertificate", "iam:GetServerCertificate", "iam:ListServerCertificates", "iam:UpdateServerCertificate", "iam:UploadServerCertificate"],
              "Effect": "Allow",
              "Resource": "arn:aws:iam::*:server-certificate\/*"
          }]
      }
      

What to do next

Create a service account with the AWS Account Number, the Access Key ID, and the Secret Access Key for the user you created in AWS.

Collect the Azure Client ID and Tenant ID

Specify the Azure Client ID and Tenant ID while configuring the instance.

Before you begin

Role required: sn_cmp.cloud_admin.

Procedure

  1. Log in to the Azure portal, navigate to Active Directory, and then select the directory that you work in.
  2. Click the application that you are working on and then click Configure.
  3. Copy the Tenant ID and the Client ID and save them into a text file.
    In any of the URLs, the Tenant ID is the text that is in the form of a GUID. For example, https://login.windows.net/d85131e4-1763-42d6-b9c7-b6bad64b3a51.

Create Azure credentials (service principals) for Cloud Management

Create the credentials necessary to access your Azure subscriptions after you collect the tenant and client IDs from Azure.

Before you begin

  • Role required: sn_cmp.cloud_admin
  • A service principal on the Azure portal. Make sure that your user settings in Azure allow users to register applications. Also make sure that the Directory role is not set to user when users cannot create applications. You can always contact your Azure administrator to create a service principle.
  • The Azure client ID, tenant ID, and GUID (subscription ID) which you obtain from the Azure portal.

About this task

See Getting Started with Azure and Cloud Management for a video that explains the Azure and Cloud Management integration.

Procedure

  1. Navigate to Discovery > Credentials, and then select Azure Service Principal.
  2. Fill in the form fields (see table).
    Figure 2. Azure credentials
    Azure credentials
    Field Value
    Name Enter the name of the service principal to register with the instance.
    Tenant ID and Client ID Paste the values that you obtained from the Azure portal:
    • The Tenant ID is the Directory ID in Azure.
    • The Client ID is the of the ID of the application that you registered in Azure. If you do not have an application, you must create one under App registrations in the Azure portal.
    Authentication Method Select Client secret.
    Note: Client assertion is not supported.
    Secret key Paste the secret key that was generated while creating the Azure Service Principal in the Azure portal.

    This field appears when Authentication method is Client secret.

  3. Right-click the form header and click Save.
  4. Go to Access control (IAM) in the Azure portal and assign a role to the Azure application that you registered. The role must grant access to the subscription and allow manipulation of it. For example: the contributor or owner role. This allows API calls using the Azure credential to manipulate items in the subscription.

What to do next

  • If the Microsoft Azure Management Application (DEPRECATED) [com.snc.azure] plugin is active on your instance, you can click Get Subscriptions to automatically populate your subscriptions in the related list.
  • Create a Service Account
.