Page tree

Contents

All AWS API requests include an Access Key ID and are signed with a corresponding Secret Access Key. These authenticate the sender of the request and verify the authenticity of the request message. AWS generates the Access Key ID and Secret Access Key as a key pair, comprising an access key credential for a specific AWS account user in the AWS Identity & Access Management (IAM) service.

As the intermediary recipient of the API requests destined for AWS, NIOS must authenticate the sender of the request and verify the authenticity of the request message. Each Access Key ID and Secret Access Key pair received by the AWS API Proxy must be assigned to a NIOS user, with sufficient privileges given by a NIOS system administrator. You can assign multiple AWS user accounts to a single NIOS Cloud Admin user account, with the required cloud-api-only NIOS group setting.

You do so by importing a simple CSV spreadsheet file with the AWS IAM access key ID/secret access key pairs and some other information for each user, or by adding existing AWS user accounts directly to NIOS through Grid Manager. For information, see Configuring the NIOS Cloud Admin User.

Note

NIOS uses the access key assignments for authorization and accounting. For example, an Amazon user account may not have the authorization to create a VPC, but can launch new instances in a VPC. Another example, for a vDiscovery in a VPC, you can assign a specific AWS user account that has read access to all objects to all VPC entities (primarily, subnets and EC2 instances) to the NIOS Cloud Admin account. This level of authorization is possible in NIOS because multiple AWS user accounts with varying IAM privileges can be assigned to the NIOS Cloud admin user.


Assigning AWS User Credentials to the NIOS Cloud Admin Account

Note

In AWS, the access key credentials are used to digitally sign API calls made to AWS services. (Each access key credential has an Access Key ID and a Secret Access Key.) The secret key portion must be secured by the AWS account holder or the IAM user to whom they are assigned. As a best practice, users should rotate their access keys on a regular basis. Refer to the document AWS Security Best Practices by Amazon Web Services (http://aws.amazon.com/whitepapers/aws-security-best-practices/) and the AWS Documentation page IAM Best Practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html) for more information.

Use the Amazon IAM features set to create an AWS user account. The AWS account needs the access key credential, comprising a key pair with an Access Key ID and a Secret Access Key, which the administrator creates when they create the account. You can obtain the access key pair only once, at the time the new user credential is created by AWS.

The credentials you use will apply directly to the NIOS Cloud Admin account, and by extension to all administrators using the Cloud Admin account to send directives to the AWS API Proxy.

Figure 1.4 Obtaining the Access Key Credential for an Amazon Account



You add these two values to the import CSV spreadsheet for each AWS user that will use the NIOS cloud account. (You can also download the credentials in a simple Excel-or-text-compatible CSV formatted file.)

If the intended cloud admin user does not already have a credential, or if they need a replacement owing to not having their existing key pair on record, the administrator may create a new access key credential on AWS and make a record of the credential for use with the NIOS Cloud Admin account.

All API Query requests must be signed to authenticate the requester. By adding the AWS access key ID and secret access key to a NIOS user account mapping, you ensure a trusted connection between NIOS and AWS for all API Proxy operations, for all selected AWS users.
The import spreadsheet must contain six columns in its header, in the following exact syntax for each cell:

header-awsuser

access_key_id

account_id

secret_access_key

nios_user_name

user_name


A single record of import data reads as follows:

header-awsuser,access_key_id,account_id,secret_access_key,nios_user_name,user_name awsuser,AKIAI2XEVK73NXB3D45A,337228174961,whMEGK2a2oGu9UhoABBBv3tLwXfRPPPfXJJB9isu,cloud,asmith

A CSV file may be edited in Excel, but you should use a text editor to verify correct formatting, and to ensure that long Account ID numeric values are not truncated to scientific notation.

About Tenants

You include the tenant's account ID value (account_id) in your CSV file for assigning AWS access key pairs to the Infoblox cloud account. NIOS automatically populates the tenant value as the tenant ID (a twelve-digit Amazon account ID value) unless the tenant ID is specified by the user. The tenant ID is a mandatory field in many Infoblox Web API (WAPI) requests. (You can change the tenant name at a later time.)

To see tenant examples, complete the following:

  1. In Grid Manager, from the Cloud tab, select the Tenants tab. The Name and ID columns show the Tenant ID values.
  2. Click the Name value for a tenant to view the Networks and VMs pages for the selected tenant.

Configuring the NIOS Cloud Admin User

You can continue with the assignment of AWS users to the NIOS cloud account by ensuring that the cloud administrator exists in NIOS. You can either add AWS users directly to NIOS or import the CSV file containing the AWS user information.
To create the NIOS cloud admin account for mapping, complete the following steps:
(if you have already defined a cloud admin, you can skip Steps 1–5 of this procedure):

  1. In Grid Manager, from the Administration tab, select the Administrators tab -> Admins tab.
  2. Expand the Toolbar, and then click the Add icon.
  3. In the Add Administrator Wizard, retain the Authentication Type as Local (default), and then complete the following:
    • Login: Enter the name for the new cloud administrator account. For example, you can create awscloud or simply cloud as the global user account for AWS.
    • Password: Enter the local NIOS password for the account. If you want to include a symbol character at the beginning of the password, ensure that you put the password in quotes ('') to avoid login issues. Example: '!Infoblox'.
    • Confirm Password: Enter the same password to confirm.

      Note

      In NIOS 8.5.2, when you set up the cloud admin account for a Grid Master or a standalone vNIOS for AWS instance, the minimum password length to access the NIOS UI must be four characters. It must consist of at least one uppercase character, one lowercase character, one numeric character, and one symbol character. Example: Infoblox1!
      If the symbol character is at the beginning of the password, then include the password within quotes (''). Example: '@Infoblox123'. 

      For more information, see Creating Local Admins in the 

    • For the Admin Group setting, click Select to specify the admin group. In the Admin Group Selector dialog box, select the cloud-api-only group, and then click OK.
  4. Optionally, click Next to add or delete extensible attributes for this cloud admin account. For information about extensible attributes, see the 

  5. Save the configuration.
  6. From the Administration tab, select the Cloud tab. The CMP Administration page appears.
  7. Expand the Toolbar, and then click the CSV Import button. The New CSV Import Wizard appears.
  8. In the first Wizard step, select Add and then click Next.
  9. Click the Choose button to select the CSV file with your Amazon account information. In the file requester, select the file, and then click Open. The selected file appears in the Import type:Add field.
  10. Click Next to continue in the wizard. The Preview File page shows the result of the data import.
  11. Click Import. The AWS user data is imported into the NIOS cloud admin list. The chosen AWS users now have access to the Infoblox AWS API Proxy.

Note

Ensure that those assigned AWS users are given the IP address of the API Proxy instead of using the API service endpoints for their work, because continuing to use the endpoints will bypass the Infoblox API Proxy and its AWS API extensions.


Setting Administrative Permissions for Infoblox vNIOS for AWS

For operation with the AWS API Proxy, your NIOS Cloud Admin account must have read-write permissions for the following NIOS feature sets:

  • IPAM permissions
  • DNS Permissions
  • Cloud permissions

The Cloud Admin account is assigned to the cloud-api-only administrative group in Grid Manager, as previously described in Assigning AWS User Credentials to the NIOS Cloud Admin Account. These permissions allow you to create all the important object types through the API Proxy in the AWS environment. You assign these permissions to the entire cloud-api-only administrative group in the Grid Manager.

  1. From the Administration tab, select the Administrators tab -> Permissions tab and then select the cloud-api-only group in the Groups table, expand the Toolbar and then click Add -> Global Permissions.
  2. In the Manage Global Permissions editor, from the Group Permission drop-down menu, ensure that cloud-api-only is already chosen.
  3. In the Permission Type drop-down menu, choose IPAM Permissions, and then select the Read/Write check boxes for the following: All Network Views, All IPv4 Networks, All Hosts, and All IPv4 Host Addresses.
  4. Save the configuration.
  5. Select the cloud-api-only group and then click Add -> Global Permissions.
  6. In the Manage Global Permissions editor, from the Permission Type drop-down menu, choose Cloud Permissions.
    • Select the Read/Write check box for All Tenants.
  7. Save the configuration.
  8. Select the cloud-api-only group and then click Add -> Global Permissions.
  9. From the Permission Type drop-down menu, choose DNS Permissions, and then select the following Read/Write check boxes for these categories: Grid DNS Properties, All DNAME Records, All Alias RecordsAll DNS ViewsAll NAPTR Records, All DNS Zones, All MX Records, All Hosts, All PTR Records, All IPv4 Host Addresses, All SRV RecordsAll A Records, All TXT Records, and All CNAME Records.
  10. Save the configuration.
    Grid Manager lists the entire set of updated cloud-api-only group permissions on the Permissions page.
  • No labels

This page has no comments.