Configuring Connections to AWS EC2 using IAM Roles

FlexNet Manager Suite 2020 R1 (On-Premises)

Before you begin

Ensure you read the background information and prerequisites before beginning this task. See Managing AWS EC2 Connections

To configure an initial data connection to your AWS EC2 service using role-base access:

  1. Using the email address saved by your AWS account owner for your AWS account, sign into AWS and open the IAM console at https://console.aws.amazon.com/iam.
    You will create both policies and the user account through this console.
  2. Create the policy to access your EC2 service:
    1. In the navigation pane on the left, choose Policies.
    2. Click Create policy.
    3. Click Choose a service and select EC2.
    4. In the Actions section, expand the List access level.
    5. Select the following access levels to allow collection of inventory data from AWS:
      • DescribeInstances
      • DescribeHosts
      • DescribeReservedInstances
    6. Click Add additional permissions.
    7. Click Choose a service and select IAM.
    8. In the Actions section, expand the List access level.
    9. Select the following access levels to allow collection of inventory data from IAM:
      • ListAccountAliases
    10. Click Review policy and give this policy a suitable and unique Name (for example, ListEC2ForFNMS). Optionally, you may also add a Description to assist with future maintenance.
    11. Click Create policy.
  3. Create the policy to access your IAM service:
    1. Once, again, in the navigation pane on the left, choose Policies.
    2. Click Create policy.
    3. Click Choose a service and select IAM.
    4. In the Actions section, expand the Read access level and select the following access levels which will be used to validate the connection to AWS and enable you to implement a connection using an IAM User.
      • GetUser
      • GetPolicy
      • GetPolicyVersion
    5. In the Actions section, expand the List access level and select the ListAttachedUserPolicies.
      This access level allows the test connection and allows the inventory beacon to discover which roles can be assumed by the user so that the role can be assumed, and the necessary permissions can be acquired to collect inventory.
    6. Still in the List access level, you can optionally select the following permissions.
      Because this tutorial attaches the security policies directly to the user, the following action levels are not mandatory. If however, you instead choose to attach the policies to a group which one or more users belong too, then those users will inherit those policies. Groups offer convenience by allowing you to specify permissions for multiple users with these exact permissions.
      • ListGroupsForUser
      • ListAttachedGroupPolicies
    7. Click Choose a service and select STS.
    8. In the Actions section, expand the Write access level and select the AssumeRole policy.
    9. Expand the Resources section and explicitly add the Role ARNs by selecting Add ARN and supplying the Account number of the account you are currently configuring, and the role name for the role which you will configure in a later step (The suggested name will be ListEC2ForFNMSRole).
      Do not select the All Resources option.
    10. If you are going to collect inventory from multiple accounts with this connection, repeat the above step adding every account number and role name which will be assumed (you will create the role on each account at a later stage).
    11. Click Review policy and give this policy a suitable and unique Name (for example, ReadRolesForFNMS). Optionally, you may also add a Description to assist with future maintenance.
    12. Click Create policy.
  4. Create a role to be assumed by an IAM User:
    1. Navigate to the IAM service.
    2. In the navigation pane, click Roles and then click Create role.
    3. Click Another AWS account.
    4. In the Account ID text box, enter the account ID that contains the IAM User.
    5. Optionally select the Require external ID check box and enter an external ID into the External ID text box.
      Setting an external ID is optional, however it is best practice when a third party will assume this role.
      If you are creating the role on multiple accounts, ensure you use the same external ID each time.
      You will enter this value at a later step so copy it to a convenient location.
    1. Click Next: Permissions.
    2. Search and select the first policy you created (the suggested name was ListEC2ForFNMS).
    3. Click Next: Tags and optionally assign any tags according to your needs.
    4. Click Next: Review and give this role a suitable and unique Name (such as ListEC2ForFNMSRole) Optionally, you may also add a Description to assist with future maintenance.
    5. Click Create role.
  5. If you want to collect from multiple accounts using a single connection, you must repeat Step 2 - Create the policy to access your EC2 service and Step 4 -Create a role to be assumed by an IAM User on every account that you want to collect inventory from.
    You do not need to repeat the step to add the AssumeRole policy on each account, this is only needed for the initial account where the IAM User is created.
  6. Create the IAM User account that will collect data on schedule:
    1. In the navigation pane on the left, click Users and then click Add user.
    2. In the User name field, create a name for the account (for example, FNMSUser).
    3. For the Access type, select the Programmatic access check box.
    4. Click Next: Permissions.
    5. In the Set permissions section, click Attach existing policies directly.
    6. Search, and select the policy you created previously (the suggested name was ReadRolesForFNMS).
    7. Click Review and validate your settings.
    8. Click Create user.

      The AWS management console displays a Success status, and the Access key and the Secret access key for the account are shown. It also provides a link to download these critical details in a .csv file.

      Warning: Be sure to secure the credentials for future use. Once you leave the window, you will not be able to access the Secret access key again. Copy them from this page and save for the rest of this procedure; but also preserve the .csv file.

    9. Download the .csv file containing the Access key ID and the Secret access key for the account and save in a secure location.
  7. Log into FlexNet Beacon as administrator and confirm the schedule for data collection from AWS.
    Some data on AWS is ephemeral: for example, a terminated instance disappears within an hour of you implementing that decision. As well, some licenses (such as IBM PVU) require that you monitor peak consumption not more than 30 minutes apart. For reasons like these, recommended best practice is to schedule data collection from AWS every 30 minutes. A default schedule AWS imports exists in the Data collection > Scheduling page of FlexNet Beacon for this purpose. If you have reason to modify this default, it is convenient to modify the schedule before setting up the connection. See Modifying a Schedule if you need assistance.
    Tip: Don't change the name of the schedule, so that it can be automatically linked to your AWS EC2 connection. (If you make the mistake of changing the name of this schedule, the default schedule is automatically restored with the default name at the next policy check.)
  8. Configure the connection to AWS:
    1. In the FlexNet Beacon interface, select the Inventory Systems page.
    2. To create a new connection, click the down arrow on the right of the New split button and choose PowerShell.
      Tip: You can also edit a connection you have defined previously, by selecting it from the list of connections and clicking Edit....
    3. In the dialog that appears, complete (or modify) the following required fields:
      • In the Connection Name text box, enter a name for this inventory collection. This will become the name of this data import task in FlexNet Manager Suite.
      • From the Source Type list, select Amazon Web Services
      • In the Access Key text, paste the access key value which you can copy from the credentials .csv file you downloaded from AWS.
      • In the Secret Access Key text box, paste the secret access key value which you can copy from the downloaded .csv file.
      • In the External ID text box, if you configured an External ID when creating the role, copy and paste it here.
    4. If a proxy server is in use between the inventory beacon and AWS, also select the Use Proxy check box, and complete the following additional details:
      • Proxy Server: Enter the address of the proxy server using HTTP, HTTPS, or an IP address. Use the format https://ProxyServerURL:PortNumber, http://ProxyServerURL:PortNumber, or IPAddress:PortNumber). If the protocol is omitted, it defaults to http:. If the port number is omitted, it defaults to :80 for http, or 443 for https.
      • Username and Password: If your enterprise is using an authenticated proxy, specify the credentials to access the proxy server you just identified.
    5. Click Test Connection.
      • If a Test connection failed message displays, click OK to close the message, review and correct the connection details, and retest the connection. You cannot save the connection details if the connection test fails. If you cannot get the connection test to succeed, click Cancel to cancel the addition of these connection details, and seek further assistance.
      • If, instead, the inventory beacon can successfully access the AWS APIs using the details supplied, a Test connection succeeded message displays. Click OK to close the message. Click Save to add the connection to (or update it in) the list.
Your saved connection is also automatically linked to the AWS imports schedule (editable in the Scheduling page in the Data collection group), and the Next run column shows when the next import from AWS EC2 is due.

FlexNet Manager Suite (On-Premises)

2020 R1