Credentials for discovering cloud resources

Discovery and Service Mapping customers need to configure credentials before they can discover AWS and Azure resources.

AWS credential requirements

The credentials required for the instance to access AWS accounts are the AWS account number, the access key ID, and the secret access key. Provide these credentials so that the instance can discover AWS accounts. If you are using IAM to manage users in AWS, you must create a user profile in IAM that is specifically designed for use by the instance.

Azure credential requirements

The credentials required for the instance to access Azure accounts are referred to as service principals. A service principal is the automated process, application, or service that the Azure admin configured to access the subscription that the admin specifies. Provide the credentials for your Azure service principal to the instance so that the it can discover the Azure subscriptions for your organization.

Note: You cannot copy encrypted fields like access keys from one instance to another.

Set up AWS Identity Access Management (IAM) users

If you are using IAM to manage users in AWS, you must create a user profile in IAM that is designed for use by the instance.

Before you begin

Familiarize yourself with the AWS documentation on IAM. You must know how to create an IAM user and set up a user policy.

Procedure

  1. Log in to the AWS Management Console and create a new user in IAM.
    You must have the access key automatically generated. You need this key when you configure AWS credentials in the instance.
  2. Save the Access Key ID and Secret Access Key.
  3. Open the user record in the instance for appropriate user.
  4. Define a user policy in AWS using either of the following methods:
    • Grant Administrator Access to the instance, which is essentially the same access that would be granted to the instance if you were not using IAM and simply used your AWS account Access Key ID and Secret Access Key. Attach the AdministratorAccess policy to the user profile.
      Note: If you want to create a user policy that only supports Discovery rather than the provisioning of cloud resources, attach the ReadOnlyAccess policy instead.
    • Create a custom policy with a descriptive name and the following code in the Policy Document field in the user policy:
      {
          "Version": "2012-10-17",
          "Statement": [{
              "Action": "cloudfront:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "s3:*",
              "Effect": "Allow",
              "Resource": "arn:aws:s3:::*"
          }, {
              "Action": "elasticloadbalancing:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "sqs:*",
              "Effect": "Allow",
              "Resource": "arn:aws:sqs:*"
          }, {
              "Action": "rds:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "sns:*",
              "Effect": "Allow",
              "Resource": "arn:aws:sns:*"
          }, {
              "Action": "ec2:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "cloudformation:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "directconnect:*",
              "Effect": "Allow",
              "Resource": "*"
          }, {
              "Action": "route53:*",
      
              "Effect": "Allow",
              "Resource": "arn:aws:route53:::*"
          }, {
              "Action": ["iam:DeleteServerCertificate", "iam:GetServerCertificate", "iam:ListServerCertificates", "iam:UpdateServerCertificate", "iam:UploadServerCertificate"],
              "Effect": "Allow",
              "Resource": "arn:aws:iam::*:server-certificate\/*"
          }]
      }
      

What to do next

Create a service account with the AWS Account Number, the Access Key ID, and the Secret Access Key for the user you created in AWS.

Configure the Azure Alert service for Discovery

You can configure the Azure Alert service to auto-update the CMDB whenever a life cycle state or configuration change event occurs without having to wait for Discovery to run again.

Before you begin

  • Role required: discovery_admin
  • Discovery has finished running with at least one resource group.
  • A cloud account with Azure subscriptions (service accounts) and associated logical datacenters.

About this task

When Alert sends an update, the instance processes the event and creates or updates the CI entry in the CMDB and the CI information in the User Portal. Each event is saved as a record in the Events table. You should only have one rule configuration per Azure service account. Alert rules are be created for all resources within this service account.

Procedure

  1. Open the Alert Configurations module.
  2. Click New and fill in the form (see table):
    Field Description
    Service Account Service account.
    Resource Group Resource group where the alert rules should be stored. The system creates alert rules for all resources in this service account.
    User/Password Azure does not currently support authentication. To receive Azure Alert events, however, you must provide a username for an account with the sn_cmp.cloud_event_integration role.

    In addition, you must disable Authentication for the Cloud Event Scripted REST API as follows:

    1. As System Admin, open the Scripted REST API module.
    2. Open the record for Cloud Events.
    3. Under Resources, open Cloud Config Event Post.
    4. On the Security tab, unselect the Requires Authentication check box.
    Status [read only]
    • Updating
    • Activated
    • Deleting
    • Deleted
  3. Click Submit.