Provider-Specific Credentials
Flexera One Automation supports the following provider-specific credentials. Click the appropriate provider link for further details.
| • | Flexera |
| • | AWS |
| • | Azure |
| • |
| • | Oracle |
Note:This section covers the steps required to create an Automation Credential for Policies that require:
| • | provider=flexera |
The Flexera One Platform supports OAuth2 for Automation Policies which need to interact with the Flexera One Platform. This section covers how to create an Generic Credentials in the Flexera Platform to enable usage of Automation Policies which use the Flexera Platform.
To create a OAuth2 Refresh Token Credential using the Automation user interface:
| 1. | Generate a refresh token following the steps in Generating a Refresh Token. |
| 2. | Navigate to the Credentials page (Automation > Credentials). |
The Credentials page appears.
| 3. | Click New Credential. An Add Credential screen appears. In the Add Credential screen do the following: |
| a. | From the Credential Type dropdown list, select OAuth2. |
| b. | In the Credential Name field, enter a name (for example, JDoe@flexera.com_RefreshToken). |
Note:The Credential Identifier field automatically populates based on the value entered in the Credential Name field and does not need to be modified in most scenarios.
| c. | Optionally, in the Credential Description field, provide a description for the credential (for example, Refresh Token associated with user JDoe@flexera.com) |
| d. | For the Grant Type, choose Refresh Token. |
| e. | In the Token URL field, enter the Login URL associated with the Flexera Zone which your Org is part of: |
|
Flexera Zone |
Token URL |
|
North America (app.flexera.com) |
https://login.flexera.com/oidc/token |
|
Europe |
https://login.flexera.eu/oidc/token |
|
APAC |
https://login.flexera.au/oidc/token |
| f. | For the Client Authentication Method, choose Token. |
| g. | In the Token field, enter the Flexera Refresh Token that you generated in Step 1. |
| h. | In the Provider field, enter flexera (must be all lowercase). |
| i. | Click Validate. |
Note:This section covers the steps required to create an Automation Credential for Policies that require:
| • | provider=aws |
Flexera supports multiple authentication types for AWS, with Cross-Account Roles being the preferred method per AWS best practices.
No matter which method you use, you will need to ensure that the AWS IAM Role (or user) has enough permissions to successfully evaluate the policy and take remediation actions (if so desired). All Flexera-built policies (see List of Flexera Policies) contain the required permissions in their readme.
Click the appropriate link to learn more about the following AWS authentication types.
| • | Security Token Service (STS) Cross-Account Roles |
| • | AWS IAM User |
Security Token Service (STS) Cross-Account Roles
The preferred method for connecting to AWS, cross-account roles provide a method for you to grant Flexera access to your account in a defined and constrained way.
See the following information for creating this AWS authentication type.
| • | Automation User Interface for AWS STS |
| • | AWS STS Multi-Account Credential Usage |
| • | AWS STS Multi-Account Credential Usage Troubleshooting |
| • | AWS STS API Usage |
| • | AWS STS Key Rotation |
Automation User Interface for AWS STS
To create an AWS STS cross-account role using the Automation user interface, perform the following steps.
To create an AWS STS cross-account role using the Automation user interface:
| 1. | In Flexera One, navigate to the Automation menu and click Credentials. The Credentials screen appears. |
| 2. | Click New Credential. The Add Credential screen appears. |
| 3. | In the Credential Type field, select the AWS Security Token Service (STS) Cross-Account Role. |
| 4. | In AWS, follow the AWS instructions and perform the following. |
| a. | During the role creation process in AWS, select Require external ID. |
| b. | In AWS, enter the Account ID and the External ID. Both of these values are shown in the Flexera One Automation Add Credentials page once you've selected the AWS Security Token Service (STS) Cross-Account Role. |
| c. | Specify which AWS permission policies are attached to the role based on the Flexera policies that you will be using. |
| 5. | Once the role has been created in AWS, select it and copy the Role ARN value. |
| 6. | Paste the AWS Role ARN value into the Role ARN field of the Flexera One Automation Add Credentials page. |
AWS STS Multi-Account Credential Usage
When creating an AWS STS role across multiple AWS accounts with the same role name and permissions (see Best Practice below), you may skip steps 5 and 6 in Automation User Interface for AWS STS for each AWS account after the first account.
Best Practice:Permissions can be varied between the roles as long as the use case permission is included in all. Best practice is to keep permissions the same to avoid confusion during credential application.
To create a Flexera One Automation AWS STS credential for two or more AWS accounts, perform the following steps.
To create a Flexera One Automation AWS STS credential for two or more AWS accounts:
| 1. | Follow the steps in Automation User Interface for AWS STS for the first AWS account. Write down the AWS role ARN for reference. |
| 2. | Follow the Automation User Interface for AWS STS steps again for the second AWS account except skip step 5 and step 6. During step 4, make sure you attach the same AWS policy as the first credential or have overlapping permissions for the intended use case. The second credential must have the same role name as the first and must have the same account ID and external ID (provided by the Flexera One Automation Add Credential page, which is accessed by clicking New Credential from the Credentials page). |
| 3. | Verify the ARN for the newly created role is identical to the one you wrote down for reference from the earlier created role except for the account number. For example if you had two accounts (123456789012 and 246802468024) and used a role name of "MultiAccountSignerTest" the ARNs would be: arn:aws:iam::123456789012:role/MultiAccountSignerTest and arn:aws:iam::246802468024:role/MultiAccountSignerTest. |
| 4. | Select a Policy which uses aws-sts credentials and is enabled for multi-account credential use. Policies which are enabled for multi-account credential will accept a parameter for an aws_account_number. If a policy does not accept a parameter for aws_account_number, it will require a separate credential for each AWS account it needs to be run on. |
| 5. | Apply the policy with the credential you created to run the policy on the first account. When asked to provide an aws_account_number parameter, you can leave this parameter unchanged (UI) or do not include it (API) as you are intending to use the credential to authenticate the AWS account used to create the credential. |
| 6. | Apply the policy a second time to run on the second AWS account. To accomplish this, select the credential you created for the first account, but also pass the second AWS account's id as the aws_account_number parameter. In the use case where roles were created with ARNs of arn:aws:iam::123456789012:role/MultiAccountSignerTest and arn:aws:iam::246802468024:role/MultiAccountSignerTest and a credential was created using the first ARN, you would pass 246802468024 as the aws_account_number to have the policy run on the second account. |
| 7. | For use cases with more than two AWS accounts, subsequent accounts can follow the same steps used to set up the second AWS account. |
AWS STS Multi-Account Credential Usage Troubleshooting
| • | Verify the role on the AWS account in issue has the necessary permissions. |
| • | Verify the role on the AWS account has the same account ID and external ID as the credential in the Flexera One Automation Credentials page (Automation > Credentials). |
| • | Verify the credential role name is the same as the credential in the Flexera One Automation Credentials page. The role name is located at the end of the arn: arn:aws:iam::{aws_account_Number}:role/{role_name} |
| • | For any confusion on whether or not to use an aws_account_number parameter, verify by viewing the credential and checking its ARN, which is formatted similar to this: "arn:aws:iam::123456789012:role/RoleName". In the case that the aws_account_number in the middle of the ARN is the same as the account the credential is being used on, there is no need to provide an aws_account_number. If it is not the same, provide that number to the parameter. |
To create an AWS STS using the Credentials API, use the scheme aws_sts.
The standard provider name to match credentials in Flexera-built policies for AWS is aws.
Tags are provided in the payload for creation and update of a credential using the following format: "tags": [{"key":"provider","value":"aws"}].
This type of credential does not need to have keys rotated.
Per AWS best practices, Flexera strongly considers using the STS Cross-Account role method documented above instead of an IAM user. If you still wish to use an IAM user, follow the instructions below.
| • | Automation User Interface for AWS IAM Users |
| • | AWS IAM User API Usage |
| • | AWS IAM User Key Rotation |
Automation User Interface for AWS IAM Users
To create an AWS IAM user using the Automation user interface, perform the following steps.
To create an AWS IAM user using the Automation user interface:
| 1. | In Flexera One, navigate to the Automation menu and click Credentials. The Credentials screen appears. |
| 2. | Click New Credential. The Add Credential screen appears. |
| 3. | In the Credential Type field, select AWS IAM User. |
| 4. | In AWS, follow the Creating an IAM user in your AWS account instructions and perform the following. |
| a. | For Access type, select Programmatic access. |
| b. | Specify which AWS permission policies are attached to the role based on the Flexera policies that you will be using. |
| 5. | Once the user has been created in AWS, copy the Access key ID and click the Show link to expose and copy the Secret access key. |
| 6. | Paste the Access key ID and the Secret access key into the corresponding fields of the Flexera One Automation Add Credentials page. |
To create an AWS IAM user credential using the Credentials API, use the scheme aws.
The standard provider name to match credentials in Flexera-built policies for AWS is aws.
Tags are provided in the payload for creation and update of a credential using the following format: "tags": [{"key":"provider","value":"aws"}].
Perform the following steps to rotate the AWS IAM key in Flexera One Automation.
To rotate the AWS IAM key:
| 1. | From the Automation menu, click Credentials. The Credentials screen appears. |
| 2. | Select the credential and click Edit. |
| 3. | Copy and paste the new AWS Access key ID and the Secret access key into the corresponding fields of the Flexera One Automation Add Credentials page. Any policy using the credential will use the new keys the next time it is evaluated. |
Note:This section covers the steps required to create an Automation Credential for Policies that require:
| • | provider=azure_rm |
| • | provider=azure_ea |
| • | provider=azure_graph |
| • | provider=azure_log |
| • | provider=azure_storage |
Microsoft Azure provides multiple APIs with different authentication types for different capabilities. Depending on the policy you may need to set up one or multiple different credential types. Each policy specifies which kind of credential is required.
Click the appropriate link to learn more about the following Azure authentication types.
| • | Azure Resource Manager |
| • | Azure Enterprise Agreement |
The Azure Resource Manager (ARM) APIs provide the ability to gather data and interact with resources in subscriptions via App Registrations.
See the following information for creating this Azure authentication type.
| • | Automation User Interface for Azure Resource Manager |
| • | Azure Resource Manager API Usage |
| • | Azure Resource Manager Key Rotation |
Automation User Interface for Azure Resource Manager
To create an Azure Resource Manager authentication type using the Automation user interface, perform the following steps.
To create an Azure Resource Manager authentication type using the Automation user interface:
| 1. | In Flexera One, navigate to the Automation menu and click Credentials. The Credentials screen appears. |
| 2. | Click New Credential. The Add Credential screen appears. |
| 3. | In the Credential Type field, select Microsoft Azure Resource Manager. |
| 4. | To learn more about Azure app registrations and how to create them, see the Azure documentation and perform the following: |
| a. | When creating your app registration, select the account type of: Accounts in this organizational directory only (<YOUR DIRECTORY NAME HERE> only - Single tenant). |
| b. | Once you've created the app registration, get a client secret for it in the Certificates & Secrets page by creating a New client secret. Take care if selecting an expiration date for the client secret to set a reminder to rotate the credential in Flexera Automation before it expires. |
| 5. | After creating the Azure app registration, follow the Microsoft instructions for granting the app access to your subscriptions. Take note that Flexera-built policies using the credential will run against all subscriptions the app has access to. |
| 6. | Copy the following information from Azure and paste it in the corresponding Add Credential field in Flexera Automation. |
|
Automation Credential Field |
Azure Value |
|
Tenant ID |
Directory (tenant) ID |
|
Client ID |
Application (client) ID |
|
Client Secret |
“Client secret” Value Tip:Note the client secret expiration date, so you can rotate the credential before it expires. |
| 7. | For the Resource field in the Add Credential screen of Flexera Automation, select the type of service that this credential will be used to interact with. If the app registration can interact with all services, a separate credential resource will need to be created for each one. |
|
Automation Resource Field Value |
Description |
|
Resource Management |
Used for policies that interact with the Azure Resource Manager (ARM) APIs |
|
Azure Active Directory |
Used for policies that interact with the Microsoft Active Directory (AD) (sometimes called Graph) API |
|
Log Analytics |
Used for policies that interact with Azure Log Analytics to gather detailed metrics on resource usage |
Azure Resource Manager API Usage
To create Azure Resource Manager credentials using the Credentials API, perform the following steps.
To create Azure Resource Manager credentials using the Credentials API:
| 1. | Use the scheme oauth2 with the following values. |
|
Field |
Azure Resource Manager Value |
|
grant_type |
client_credentials |
|
token_url |
Directory (tenant) ID formatted as: https://login.windows.net/{TENANT_ID}/oauth2/token. Example: https://login.windows.net/123456789-1234-1234-1234-123456789012/oauth2/token Note:This value can also be found by clicking Endpoints and copying the endpoint titled OAuth 2.0 token endpoint (v1). |
| 2. | Submit the request with the client_credentials_params hash populated with the following values. |
|
Field |
Azure Resource Manager Value |
|
client_id |
Application (client) ID |
|
client_secret |
“Client secret” Value Tip:Note the client secret expiration date, so you can rotate the credential before it expires. |
|
additional_params |
Set the resource field to the value corresponding to the service this credential will be used for. Valid values are listed below. |
| 3. | For the Flexera Automation Resource field value, select the type of service that this credential will be used to interact with. If the app registration can interact with all services, a separate credential resource will need to be created for each one. |
|
Automation Resource Field Value |
Description |
|
“https://management.azure.com” |
Used for policies that interact with the Azure Resource Manager (ARM) APIs |
|
“https://graph.microsoft.com” |
Used for policies that interact with the Microsoft Active Directory (AD) (sometimes called Graph) API |
|
“https://api.loganalytics.io” |
Used for policies that interact with Azure Log Analytics to gather detailed metrics on resource usage |
|
“https://my_azure_storage_account.blob.core.windows.net” |
Used for policies that interact directly with storage accounts. Replace my_azure_storage_account with the name of the storage account. One credential must be created for every storage account. |
The standard provider name to match credentials in Flexera-built policies for Azure Resource Manager is: azure_rm.
Tags are provided in the payload for creation and update of a credential using the following format: "tags": [{"key":"provider","value":"azure_rm"}].
Azure Resource Manager Key Rotation
Perform the following steps to rotate the Azure Resource Manager key in Flexera One Automation.
To rotate the Azure Resource Manager key:
| 1. | From the Automation menu, click Credentials. The Credentials screen appears. |
| 2. | Select the credential and click Edit. |
| 3. | Copy and paste the new Azure client secret value into the corresponding field of the Flexera One Automation Add Credentials page. Any policy using the credential will use the new keys the next time it is evaluated. |
The Azure Enterprise Agreement (EA) Reporting APIs provide the ability to gather information primarily related to billing and consumption data.
See the following information for creating this Azure authentication type.
| • | Automation User Interface for Azure Enterprise Agreement |
| • | Azure Enterprise Agreement API Usage |
| • | Azure Enterprise Agreement Key Rotation |
Automation User Interface for Azure Enterprise Agreement
To create an Azure Enterprise Agreement authentication type using the Automation user interface, perform the following steps.
To create an Azure Enterprise Agreement authentication type using the Automation user interface:
| 1. | In Flexera One, navigate to the Automation menu and click Credentials. The Credentials screen appears. |
| 2. | Click New Credential. The Add Credential screen appears. |
| 3. | In the Credential Type field, select Microsoft Azure Enterprise Agreement Key. |
| 4. | Follow the Microsoft instructions on how to “Generate or retrieve the API key”. Take note of the key's expiration date and set a reminder to rotate the credential in Flexera Automation before it expires. |
| 5. | Copy and paste the API key value in the Key field of the Flexera Automation Add Credential screen. |
Azure Enterprise Agreement API Usage
To create Azure Enterprise Agreement credentials using the Credentials API, perform the following step.
Use the scheme api_key with the following values.
|
Field |
Azure Enterprise Agreement Value |
|
location |
“header” |
|
field |
“Authorization” |
|
type |
“Bearer” |
|
key.data |
Enter the API key retrieved from Microsoft |
|
key.type |
“plain” |
The standard provider name to match credentials in Flexera-built policies for Azure Enterprise Agreement is: azure_ea.
Tags are provided in the payload for creation and update of a credential using the following format: "tags": [{"key":"provider","value":"azure_ea"}].
Azure Enterprise Agreement Key Rotation
Perform the following steps to rotate the Azure Enterprise Agreement key in Flexera One Automation.
To rotate the Azure Enterprise Agreement key:
| 1. | From the Automation menu, click Credentials. The Credentials screen appears. |
| 2. | Select the credential and click Edit. |
| 3. | Copy and paste the new API key value into the corresponding field of the Flexera One Automation Add Credentials page. Any policy using the credential will use the new keys the next time it is evaluated. |
Note:This section covers the steps required to create an Automation Credential for Policies that require:
| • | provider=gce |
In Google cloud, service accounts are the preferred method for API authentication.
See the following information for creating a Google authentication type.
| • | Automation User Interface for Google |
| • | Google API Usage |
| • | Google Key Rotation |
Automation User Interface for Google
To create a Google authentication type using the Automation user interface, perform the following steps.
To create a Google authentication type using the Automation user interface:
| 1. | In Flexera One, navigate to the Automation menu and click Credentials. The Credentials screen appears. |
| 2. | Click New Credential. The Add Credential screen appears. |
| 3. | In the Credential Type field, select Google Compute Engine Service Account. |
| 4. | Follow the Google documentation to create a service account and perform the following: |
| a. | Grant the service account access to whichever GCE projects you want, taking note that Flexera-built policies using the credential will run against all projects the app has access to. |
| b. | When creating the key, choose the JSON key type, which will download a JSON file onto your machine. |
| 5. | In the Flexera One Automation Add Credential screen, click the Private Key JSON File button to select the file that you just downloaded. |
To create Google credentials using the Credentials API, perform the following steps.
To create Google credentials using the Credentials API:
| 1. | Use the scheme oauth2 with the following values. |
|
Field |
Google Value |
|
grant_type |
“jwt_bearer” |
|
token_url |
“https://accounts.google.com/oauth2/v4/token” |
| 2. | Submit the request with the jwt_bearer_params hash populated with the following values. |
|
Field |
Google Value |
|
additional_claims.scope |
“https://www.googleapis.com/auth/cloud-platform” |
|
alg |
“RS256” |
|
aud |
"" |
|
max_minutes |
“60” |
|
iss.data |
The value of client_email from the JSON file (without the quotes) |
|
iss.type |
“plain” |
|
signing_key.data |
The value of private_key from the JSON file (without the quotes) |
|
signing_key.type |
“plain” |
The standard provider name to match credentials in Flexera-built policies for Google is: gce.
Tags are provided in the payload for creation and update of a credential using the following format: "tags": [{"key":"provider","value":"gce"}].
Perform the following steps to rotate the Google credential in Flexera One Automation.
To rotate the Google credential:
| 1. | From the Automation menu, click Credentials. The Credentials screen appears. |
| 2. | Select the credential and click Edit. |
| 3. | In the Flexera One Automation Add Credential screen, click the Private Key JSON File button to select the new JSON file that you just downloaded. Any policy using the credential will use the new keys the next time it is evaluated. |
Note:This section covers the steps required to create an Automation Credential for Policies that require:
| • | provider=oracle |
Oracle Cloud Infrastructure recommends using Oracle API Signing Keys for authenticating with Oracle Cloud APIs.
See the following information for creating an Oracle authentication type.
| • | Automation User Interface for Oracle |
| • | Oracle API Usage |
| • | Oracle Key Rotation |
Automation User Interface for Oracle
The Oracle authentication type is not yet supported in the Flexera One Automation user interface.
Follow the Oracle Cloud API Signing Key guide to create an Oracle API Signing key.
To create Oracle credentials using the Credentials API, use the scheme oracle with the following values.
|
Field |
Oracle Value |
|
fingerprint.type |
“plain” |
|
fingerprint.data |
Value of fingerprint returned after creating API key in Oracle Cloud |
|
password.type |
“plain” |
|
password.data |
Password used to encrypt the private key (This is an optional field. Provide the password only if you have used a password to encrypt your private key.) |
|
privateKey.type |
“plain” |
|
privateKey.data |
Private Key (in PEM format) equivalent of the public key used to create Oracle Cloud API key |
|
tenancyOcid.data |
“plain” |
|
tenancyOcid.type |
Oracle Cloud Identifier of your tenancy |
|
userOcid.type |
“plain” |
|
userOcid.data |
Oracle Cloud Identifier of the user calling the API |
To rotate the Oracle credential, use the Update Oracle Credential API. Any policy using the credential will use the new keys the next time it is evaluated.