All AWS API requests include an AccessKeyID and are signed with a corresponding SecretAccessKey. These authenticate the sender of the request and verify the authenticity of the request message. AWS generates the Access Key ID and Secret Access Key as a key pair, comprising an access key credential for a specific AWS account user in the AWS Identity & Access Management (IAM) service.
As the intermediary recipient of the API requests destined for AWS, NIOS must authenticate the sender of the request and verify the authenticity of the request message. Each Access Key ID and Secret Access Key pair received by the AWS API Proxy must be assigned to a NIOS user, with sufficient privileges given by a NIOS system administrator. You can assign multiple AWS user accounts to a single NIOS Cloud Admin user account, with the required cloud-api-only NIOS group setting. You can do so by adding existing AWS user accounts directly to NIOS through Grid Manager. For information, see the Configuring the NIOS Cloud Admin User section.
| Note |
|---|
Note NIOS uses the access key assignments for authorization and accounting. For example, an Amazon user account may not have the authorization to create a VPC, but can launch new instances in a VPC. Another example, for a vDiscovery in a VPC, you can assign a specific AWS user account that has read access to all objects to all VPC entities (primarily, subnets and EC2 instances) to the NIOS Cloud Admin account. This level of authorization is possible in NIOS because multiple AWS user accounts with varying IAM privileges can be assigned to the NIOS Cloud admin user. |
| Anchor | ||||
|---|---|---|---|---|
|
| Note |
|---|
Note In AWS, the access key credentials are used to digitally sign API calls made to AWS services. (Each access key credential has an Access Key ID and a Secret Access Key.) The secret key portion must be secured by the AWS account holder or the IAM user to whom they are assigned. As a best practice, users should rotate their access keys on a regular basis. Refer to the document AWS Security Best Practices by Amazon Web Services (http://aws.amazon.com/whitepapers/aws-security-best-practices/) and the AWS Documentation page IAM Best Practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html) for more information. |
...
In Grid Manager, from the Administration tab, select the Administrators tab -> Admins tab.
Expand the Toolbar, and then click the Add icon.
In the Add Administrator Wizard, retain the Authentication Type as Local (default), and then complete the following:
Login: Enter the name for the new cloud administrator account. For example, you can create awscloud or simply cloud as the global user account for AWS.
Password: Enter the local NIOS password for the account. If you want to include a symbol character at the beginning of the password, ensure that you put the password in quotes ('') to avoid login issues. Example: '!Infoblox'.
Confirm Password: Enter the same password to confirm.
Note that in NIOS 8.5.2, when you set up the cloud admin account for a Grid Master or a standalone vNIOS for AWS instance, the minimum password length to access the NIOS UI must be four characters. It must consist of at least one uppercase character, one lowercase character, one numeric character, and one symbol character. Example: Infoblox1!
If the symbol character is at the beginning of the password, then include the password within quotes (''). Example: '@Infoblox123'.For the Admin Group setting, click Select to specify the admin group. In the Admin Group Selector dialog box, select the cloud-api-only group, and then click OK.
Optionally, click Next to add or delete extensible attributes for this cloud admin account.
Save the configuration.
| Note |
|---|
Note Ensure that those assigned AWS users are given the IP address of the API Proxy instead of using the API service endpoints for their work, because continuing to use the endpoints will bypass the Infoblox API Proxy and its AWS API extensions. |
...
The Cloud Admin account is assigned to the cloud-api-only administrative group in Grid Manager, as previously described in Assigning AWS User Credentials to the NIOS Cloud Admin Account. These permissions allow you to create all the important object types through the API Proxy in the AWS environment. You assign these permissions to the entire cloud-api-only administrative group in the Grid Manager.
...