Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

All AWS API requests include an Access Key ID and are signed with a corresponding Secret Access Key. These authenticate the sender of the request and verify the authenticity of the request message. AWS generates the Access Key ID and Secret Access Key as a key pair, comprising an access key credential for a specific AWS account user in the AWS Identity & Access Management (IAM) service.

As the intermediary recipient of the API requests destined for AWS, NIOS must authenticate the sender of the request and verify the authenticity of the request message. Each Access Key ID and Secret Access Key pair received by the AWS API Proxy must be assigned to a NIOS user, with sufficient privileges given by a NIOS system administrator. You can assign multiple AWS user accounts to a single NIOS Cloud Admin user account, with the required cloud-api-only NIOS group setting. You can do so by adding existing AWS user accounts directly to NIOS through Grid Manager. For information, see the Configuring the NIOS Cloud Admin User section.

Note

NIOS uses the access key assignments for authorization and accounting. For example, an Amazon user account may not have the authorization to create a VPC, but can launch new instances in a VPC. Another example, for a vDiscovery in a VPC, you can assign a specific AWS user account that has read access to all objects to all VPC entities (primarily, subnets and EC2 instances) to the NIOS Cloud Admin account. This level of authorization is possible in NIOS because multiple AWS user accounts with varying IAM privileges can be assigned to the NIOS Cloud admin user.

Assigning AWS User Credentials to the NIOS Cloud Admin Account

Note

In AWS, the access key credentials are used to digitally sign API calls made to AWS services. (Each access key credential has an Access Key ID and a Secret Access Key.) The secret key portion must be secured by the AWS account holder or the IAM user to whom they are assigned. As a best practice, users should rotate their access keys on a regular basis. Refer to the document AWS Security Best Practices by Amazon Web Services (http://aws.amazon.com/whitepapers/aws-security-best-practices/) and the AWS Documentation page IAM Best Practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html) for more information.

Use the Amazon IAM features set to create an AWS user account. The AWS account needs the access key credential, comprising a key pair with an Access Key ID and a Secret Access Key, which the administrator creates when they create the account. You can obtain the access key pair only once, at the time the new user credential is created by AWS.

The credentials you use will apply directly to the NIOS Cloud Admin account, and by extension to all administrators using the Cloud Admin account to send directives to the AWS API Proxy.

Obtaining the Access Key Credential for an Amazon Account

You add these two values to each AWS user. If the intended cloud admin user does not already have a credential, or if they need a replacement owing to not having their existing key pair on record, the administrator may create a new access key credential on AWS and make a record of the credential for use with the NIOS Cloud Admin account.
All API Query requests must be signed to authenticate the requester. By adding the AWS access key ID and secret access key to a NIOS user account mapping, you ensure a trusted connection between NIOS and AWS for all API Proxy operations, for all selected AWS users.

About Tenants

You include the tenant's account ID value (account_id) for assigning AWS access key pairs to the Infoblox cloud account. NIOS automatically populates the tenant value as the tenant ID (a twelve-digit Amazon account ID value) unless the tenant ID is specified by the user. The tenant ID is a mandatory field in many Infoblox Web API (WAPI) requests. (You can change the tenant name at a later time.)

To see tenant examples, complete the following:

  1. In Grid Manager, from the Cloud tab, select the Tenants tab. The Name and ID columns show the Tenant ID values.

  2. Click the Name value for a tenant to view the Networks and VMs pages for the selected tenant.

Configuring the NIOS Cloud Admin User

You can continue with the assignment of AWS users to the NIOS cloud account by ensuring that the cloud administrator exists in NIOS. You can add AWS users directly to NIOS.

To create the NIOS cloud admin account for mapping, complete the following steps:
(if you have already defined a cloud admin, you can skip Steps 1–5 of this procedure):

  1. In Grid Manager, from the Administration tab, select the Administrators tab -> Admins tab.

  2. Expand the Toolbar, and then click the Add icon.

  3. In the Add Administrator Wizard, retain the Authentication Type as Local (default), and then complete the following:

    • Login: Enter the name for the new cloud administrator account. For example, you can create awscloud or simply cloud as the global user account for AWS.

    • Password: Enter the local NIOS password for the account. If you want to include a symbol character at the beginning of the password, ensure that you put the password in quotes ('') to avoid login issues. Example: '!Infoblox'.

    • Confirm Password: Enter the same password to confirm.
      Note that in NIOS 8.5.2, when you set up the cloud admin account for a Grid Master or a standalone vNIOS for AWS instance, the minimum password length to access the NIOS UI must be four characters. It must consist of at least one uppercase character, one lowercase character, one numeric character, and one symbol character. Example: Infoblox1!
      If the symbol character is at the beginning of the password, then include the password within quotes (''). Example: '@Infoblox123'. 

    • For the Admin Group setting, click Select to specify the admin group. In the Admin Group Selector dialog box, select the cloud-api-only group, and then click OK.

  4. Optionally, click Next to add or delete extensible attributes for this cloud admin account. 

  5. Save the configuration.

Note

Ensure that those assigned AWS users are given the IP address of the API Proxy instead of using the API service endpoints for their work, because continuing to use the endpoints will bypass the Infoblox API Proxy and its AWS API extensions.

Setting Administrative Permissions for Infoblox vNIOS for AWS

For operation with the AWS API Proxy, your NIOS Cloud Admin account must have read-write permissions for the following NIOS feature sets:

  • IPAM permissions

  • DNS Permissions

  • Cloud permissions

The Cloud Admin account is assigned to the cloud-api-only administrative group in Grid Manager, as previously described in Assigning AWS User Credentials to the NIOS Cloud Admin Account. These permissions allow you to create all the important object types through the API Proxy in the AWS environment. You assign these permissions to the entire cloud-api-only administrative group in the Grid Manager.

  1. From the Administration tab, select the Administrators tab -> Permissions tab and then select the cloud-api-only group in the Groups table, expand the Toolbar and then click Add -> Global Permissions.

  2. In the Manage Global Permissions editor, from the Group Permission drop-down menu, ensure that cloud-api-only is already chosen.

  3. In the Permission Type drop-down menu, choose IPAM Permissions, and then select the Read/Write checkboxes for the following: All Network Views, All IPv4 Networks, All Hosts, and All IPv4 Host Addresses.

  4. Save the configuration.

  5. Select the cloud-api-only group and then click Add -> Global Permissions.

  6. In the Manage Global Permissions editor, from the Permission Type drop-down menu, choose Cloud Permissions.

    • Select the Read/Write checkbox for All Tenants.

  7. Save the configuration.

  8. Select the cloud-api-only group and then click Add -> Global Permissions.

  9. From the Permission Type drop-down menu, choose DNS Permissions, and then select the following Read/Write checkboxes for these categories: Grid DNS Properties, All DNAME Records, All Alias RecordsAll DNS ViewsAll NAPTR Records, All DNS Zones, All MX Records, All Hosts, All PTR Records, All IPv4 Host Addresses, All SRV RecordsAll A Records, All TXT Records, and All CNAME Records.

  10. Save the configuration.
    Grid Manager lists the entire set of updated cloud-api-only group permissions on the Permissions page.

  • No labels