Configuring Connections to AWS using IAM Roles

IT Asset Management (Cloud)

Before you begin

Ensure that you read the background information and prerequisites before beginning this task (see Managing AWS Connections).

To configure an initial data connection to your AWS services using role-based access:

  1. Using the email address saved by your AWS account owner for your AWS account, sign into AWS and open the IAM console at https://console.aws.amazon.com/iam.
    You will create both policies and the user account through this console.
  2. Create the policy to access your EC2 and RDS services:
    1. In the navigation pane on the left, choose Policies.
    2. Click Create policy.
    3. Click Choose a service and select EC2.
    4. In the Actions section, expand the List access level.
    5. Select the following access levels to allow collection of inventory data from AWS:
      • DescribeInstances
      • DescribeHosts
      • DescribeReservedInstances
    6. Click Add additional permissions.
    7. Click Choose a service and select IAM.
    8. In the Actions section, expand the List access level.
    9. Select the following access levels to allow collection of inventory data from IAM:
      • ListAccountAliases
    10. Click Add additional permissions.
    11. Click Choose a service and select RDS.
    12. In the Actions section, expand the List access level.
    13. Select the following access levels to allow collection of inventory data from RDS:
      • DescribeDBInstances
    14. Against the Resources heading, click Specify db resource ARN for the DescribeDBInstances action.
    15. In the Create policy page, in the Visual editor > RDS > Resources section, click Add ARN to open the Add ARN(s) dialog.
    16. Choose the regions, accounts, and instance names needed to include any Oracle Database instances running in Amazon RDS that need to be discovered to allow inventory collection. Finally, click Add to save your specification.
    17. Click Next: Tags to expose the Add tags (Optional) page. While these tags are not required for inventory gathering by IT Asset Management, you may add any tags that assist you in managing your AWS services.
    18. Click Next: Review, and give this policy a suitable and unique Name (for example, ListInventoryForFNMS). Optionally, you may also add a Description to assist with future maintenance.
    19. Click Create policy.
  3. Create the policy to access your IAM service:
    1. Once again, in the navigation pane on the left, choose Policies.
    2. Click Create policy.
    3. Click Choose a service and select IAM.
    4. In the Actions section, expand the Read access level and select the following access levels which will be used to validate the connection to AWS and enable you to implement a connection using an IAM User.
      • GetUser
      • GetPolicy
      • GetPolicyVersion
    5. In the Actions section, expand the List access level and select the following:
      • ListAttachedUserPolicies — This access level allows a test connection, and allows the inventory beacon to discover which roles can be assumed by the user so that the appropriate role can be assumed, so that the necessary permissions are available for collecting inventory
      • ListGroupsForUser — Allows the inventory beacon to identify what groups are assigned to the proposed user account
      • ListAttachedGroupPolicies — This setting is mandatory if the user has any groups assigned.
        Important: If the user account has any group(s) assigned, and this permission is not granted, then no inventory can be collected.
    6. Click Choose a service and select STS.
    7. In the Actions section, expand the Write access level and select the AssumeRole policy.
    8. Expand the Resources section and explicitly add the Role ARNs by selecting Add ARN and supplying the Account number of the account you are currently configuring, and the role name for the role which you will configure in a later step (the suggested name will be ListEC2ForFNMSRole).
      Do not select the All Resources option.
      Important: If you do not add the exact Role ARN, the adapter will fail to discover existing accounts. As a result, no role will be assumed.

      For example, the following two roles exist in other accounts:

      • arn:aws:iam::123456789012:role/FlexeraRole
      • arn:aws:iam::210987654321:role/FlexeraRole

      If you want to assume these roles, you need to add the exact Role ARNs: arn:aws:iam::123456789012:role/FlexeraRole and arn:aws:iam::210987654321:role/FlexeraRole .

      Wildcard characters will not work when defining the policy. For example, arn:aws:iam::*:role/FlexeraRole.

    9. If you are going to collect inventory from multiple accounts with this connection, repeat the above step adding every account number and role name which will be assumed (you will create the role on each account at a later stage).
    10. Click Next: Review and give this policy a suitable and unique Name (for example, ReadRolesForFNMS). Optionally, you may also add a Description to assist with future maintenance.
    11. Click Create policy.
  4. Create a role to be assumed by an IAM User:
    1. Navigate to the IAM service.
    2. In the navigation pane, click Roles and then click Create role.
    3. Click Another AWS account.
    4. In the Account ID text box, enter the account ID that contains the IAM User.
    5. Optionally select the Require external ID check box and enter an external ID into the External ID text box.
      • Setting an external ID is optional, but it is best practice when a third party will assume this role
      • If you are creating the role on multiple accounts, ensure you use the same external ID each time
      • You will enter this value at a later step, so copy it to a convenient location.
    6. Click Next: Permissions.
    7. Search and select the first policy you created (the suggested name was ListInventoryForFNMS).
    8. Click Next: Tags and optionally assign any tags according to your needs.
    9. Click Next: Review and give this role a suitable and unique Name (such as ListEC2ForFNMSRole) Optionally, you may also add a Description to assist with future maintenance.
    10. Click Create role.
  5. If you want to collect from multiple accounts using a single connection, you must repeat Step 2 - Create the policy to access your EC2 and RDS services and Step 4 -Create a role to be assumed by an IAM User on every account from which you want to collect inventory.
    Tip: You do not need to repeat Step 3 for each account: this is only needed for the initial account where the IAM User is created.
  6. Create the IAM User account that will collect data on schedule:
    1. In the navigation pane on the left, click Users and then click Add user.
    2. In the User name field, create a name for the account (for example, FNMSUser).
    3. For the Access type, select the Programmatic access check box.
    4. Click Next: Permissions.
    5. In the Set permissions section, click Attach policies.
      Important: Be sure to click only the Attach policies button. Do not click the Add inline policy link. Inline policies are not supported for the connector, and if you choose this inline option, no inventory can be collected.
    6. Search, and select the policy you created previously (the suggested name was ReadRolesForFNMS).
    7. Click Review and validate your settings.
    8. Click Create user.

      The AWS management console displays a Success status, and the Access key and the Secret access key for the account are shown. It also provides a link to download these critical details in a .csv file.

      Warning: Be sure to secure the credentials for future use. Once you leave the window, you will not be able to access the Secret access key again. Copy them from this page and save for the rest of this procedure; but also preserve the .csv file.

    9. Download the .csv file containing the Access key ID and the Secret access key for the account, and save in a secure location.
  7. Log into FlexNet Beacon as administrator and confirm the schedule for data collection from AWS.
    Some data on AWS is ephemeral: for example, a terminated instance disappears within an hour of you implementing that decision. As well, some licenses (such as IBM PVU) require that you monitor peak consumption not more than 30 minutes apart. For reasons like these, recommended best practice is to schedule data collection from AWS every 30 minutes. A default schedule AWS imports exists in the Data collection > Scheduling page of FlexNet Beacon for this purpose. If you have reason to modify this default, it is convenient to modify the schedule before setting up the connection. See Modifying a Schedule if you need assistance.
    Tip: Don't change the name of the schedule, so that it can be automatically linked to your AWS EC2 connection. (If you make the mistake of changing the name of this schedule, the default schedule is automatically restored with the default name at the next policy check.)
  8. Configure the connection to AWS:
    1. In the FlexNet Beacon interface, select the Inventory Systems tab.
    2. To create a new connection, click the down arrow on the right of the New split button and choose PowerShell.
      Tip: Alternatively, you can edit a connection you have defined previously, by selecting it from the list of connections and clicking Edit....
    3. In the dialog that appears, complete (or modify) the following required fields:
      • In the Connection Name text box, enter a name for this inventory collection. This will become the name of this data import task in IT Asset Management.
      • From the Source Type list, select Amazon Web Services
      • The Adapter Type defaults to AWS Config. For this method, select Direct as the adapter type. Direct connects directly to each account in AWS to return inventory.
      • In the Access Key text, paste the access key value which you can copy from the credentials .csv file you downloaded from AWS.
      • In the Secret Access Key text box, paste the secret access key value which you can copy from the downloaded .csv file.
      • In the External ID text box, if you configured an External ID when creating the role, copy and paste it here.
    4. If a proxy server is in use between the inventory beacon and AWS, also select the Use Proxy check box, and complete the following additional details:
      • Proxy Server: Enter the address of the proxy server using HTTP, HTTPS, or an IP address. Use the format https://ProxyServerURL:PortNumber, http://ProxyServerURL:PortNumber, or IPAddress:PortNumber). If the protocol is omitted, it defaults to http:. If the port number is omitted, it defaults to :80 for http, or 443 for https.
      • Username and Password: If your enterprise is using an authenticated proxy, specify the credentials to access the proxy server you just identified.
    5. Click Test Connection.
      • If a Test connection failed message displays, click OK to close the message, review and correct the connection details, and retest the connection. You cannot save the connection details if the connection test fails. If you cannot get the connection test to succeed, click Cancel to cancel the addition of these connection details, and seek further assistance.
      • If, instead, the inventory beacon can successfully access the AWS APIs using the details supplied, a Test connection succeeded message displays. Click OK to close the message. Click Save to add the connection to (or update it in) the list.
Your saved connection is also automatically linked to the AWS imports schedule (editable in the Scheduling page in the Data collection group), and the Next run column shows when the next import from AWS EC2 and Amazon RDS is due.

If the subsequent import does not provide the expected results, see Troubleshooting Your AWS Connection.

IT Asset Management (Cloud)

Current