Configuring Connections to AWS (FlexNet Beacon Installed on EC2 instance) using IAM Roles
IT Asset Management
(Cloud)
Before you begin
Ensure you read the background information and prerequisites before beginning this
task (see Managing AWS Connections).
Remember: Any
installation of FlexNet Beacon requires Internet access so that it can
connect to the central application server for IT Asset Management
to upload collected inventories and download changed policies.
To configure an initial data connection to your AWS services using role-base access:
-
Using the email address saved by your AWS account owner for your AWS account,
sign in to AWS Management Console at https://console.aws.amazon.com/iam.
You will create both policies and the role through this console.
- In the Security, Identity & Compliance section, click IAM.
-
Create the policy to access your EC2 and RDS
services:
- In the navigation pane on the left, choose Policies.
-
Click Create policy.
The Create policy visual editor displays.
- Click Choose a service and click EC2.
- In the Actions section, click Select actions.
-
In the Access level groups section, expand the
List and select the following access levels
which enable collection of inventory data from AWS:
- DescribeInstances
- DescribeHosts
- DescribeReservedInstances.
- Click Add additional permissions.
- Click Choose a service and select IAM.
-
In the Actions section, expand the
List access level and select
ListAccountAliases.
This policy grants the access needed to collect the inventory.
- Click Add additional permissions.
- Click Choose a service and select RDS.
- In the Actions section, expand the List access level.
-
Select the following access level to allow collection of inventory data
from RDS:
- DescribeDBInstances
- Against the Resources heading, click Specify db resource ARN for the DescribeDBInstances action.
- In the Create policy page, in the Visual editor > RDS > Resources section, click Add ARN to open the Add ARN(s) dialog.
- Choose the regions, accounts, and instance names needed to include any Oracle Database instances running in Amazon RDS that need to be discovered to allow inventory collection. Finally, click Add to save your specification.
- Click Next: Tags to expose the Add tags (Optional) page. While these tags are not required for inventory gathering by IT Asset Management, you may add any tags that assist you in managing your AWS services.
- Click Next: Review.
- In the Name text box, enter a suitable and unique policy name, for example ListInventoryForFNMS.
- You can optionally choose to enter a description into the Description text box to assist with future maintenance.
- Review your policy and then click Create policy.
-
Create the policy to access your IAM service:
- In the navigation pane, choose Policies.
- Click Create policy.
- Click Choose a service and select IAM.
-
In the Actions section, expand the
Read access level and select the following
access levels, which are used to retrieve details of the roles which can
be assumed (if configuring cross-account access), and to test the
connection.
- GetRole
- GetPolicy
- GetPolicyVersion
- In the Actions section, expand the List access level and select the ListAttachedRolePolicies policy.
-
If you want to configure roles on other accounts to collect inventory
from multiple accounts using the one connection, complete these
steps:
- Click Choose a service and select STS.
- In the Actions section, expand the Write access level and select the AssumeRole policy.
- Expand the Resources section and select Add ARN.
- Enter the Account number and the role
name and click Add. Repeat for each role
you will configure on other accounts to allow collection of
inventory from these accounts using one connection. (The roles
are created in Step 5 & Step 6 and the suggested name will
be
ListEC2ForFNMSRole).Note: Do not select the All Resources option.
- Click Next: Tags to expose the Add tags (Optional) page. While these tags are not required for inventory gathering by IT Asset Management, you may add any tags that assist you in managing your AWS services.
- Click Next: Review.
- In the Name text box, enter a unique policy name (for example, ReadRoleForFNMS).
- In the Description text box, optionally enter a description for this policy to assist with future maintenance.
- Click Create policy.
-
Create a role to be assumed by an EC2 instance:
- Navigate to the IAM service.
- In the navigation pane, click Roles and then click Create role.
- Click AWS service.
- From the Choose the service that will use this role list, select EC2.
- Click Next: Permissions.
-
Search and select the following policies:
- Select the first policy you created (the suggested name was ListInventoryForFNMS).
-
Select the second policy you created (the suggested name was ReadRoleForFNMS)
- Click Next: Tags and assign any tags according to your needs.
- Click Next: Review and give this role a suitable and unique Name (such as ListEC2ForFNMSRole) Optionally, you may also add a Description to assist with future maintenance.
- Click Create role.
-
If you want to collect inventory from multiple accounts using a single
connection, complete the following steps on every account that you
want to collect inventory from.
- Repeat Step 3 - Create the policy to access your EC2 and RDS services as documented above.
-
Next, create a role to be assumed by an EC2 instance as follows:
- Navigate to the IAM service.
- In the navigation pane, click Roles and then click Create role.
- Click Another AWS account.
- In the Account ID text box, enter the account ID for the account where the first role was created.
- Optionally, for increased security, select the
Require external ID check box and
enter an external ID into the External ID
text box.Note: If you are creating the role on multiple accounts, ensure you use the same external ID each time.
- Click Next: Permissions.
- On the Attached permissions policy page, search for and select the policy you created above (the suggested name was ListInventoryForFNMS).
- Click Next: Tags and assign any tags according to your needs.
- Click Next: Review and give this role a suitable and unique Name (such as ListEC2ForFNMSRole) Optionally, you may also add a Description to assist with future maintenance.
- Click Create role.
-
Assign an IAM Role to an EC2 instance:
- Log back into the original account where steps 1-5 were followed.
- Navigate to the EC2 service.
- In the navigation pane on the left, click Instances and then click the EC2 instance with an inventory beacon installed on it.
- Click Actions located above your instances, navigate to Instance Settings and then Attach/Replace IAM Role.
- Select the Role you previously created (suggested name was ListEC2ForFNMSRole) from the combo box next to IAM role.
- Click Apply and then click Close.
-
Log into FlexNet Beacon as administrator, and confirm the schedule for
data collection from AWS.
Some data on AWS is ephemeral: for example, a terminated instance disappears within an hour of you implementing that decision. As well, some licenses (such as IBM PVU) require that you monitor peak consumption not more than 30 minutes apart. For reasons like these, recommended best practice is to schedule data collection from AWS every 30 minutes. A default schedule AWS imports exists in the Data collection > Scheduling page of FlexNet Beacon for this purpose. If you have reason to modify this default, it is convenient to modify the schedule before setting up the connection. See Modifying a Schedule if you need assistance.Tip: Don't change the name of the schedule, so that it can be automatically linked to your AWS EC2 connection. (If you make the mistake of changing the name of this schedule, the default schedule is automatically restored with the default name at the next policy check.)
-
Configure the connection to AWS:
- In the FlexNet Beacon interface, select the Inventory Systems tab.
-
To create a new connection, click the down arrow on the right of
the New split button and
choose PowerShell.
Tip: You can also edit a connection you have defined previously, by selecting it from the list of connections and clicking Edit....
-
In the dialog that appears, complete (or modify) the following required
fields:
- In the Connection Name text box, enter a name for this inventory connection. This will be the name of this data import task in IT Asset Management.
- From the Source Type list, select Amazon Web Services.
- In the External ID text box, if you
entered an external ID when creating roles to access multiple
accounts, then copy and paste the External ID here.Note: The same External ID must be used across every account where a role is assumed. For example, if you have one primary account and two sub-accounts with roles that require the External ID 12345, you must specify 12345 in the inventory beacon as well as when creating the role for each sub-account. A separate connection is needed for different External IDs.
- The Adapter Type defaults to AWS Config. For this method, select Direct as the adapter type. Direct connects directly to each account in AWS to return inventory.
- Leave the Access Key and Secret Access Key fields blank as they are not required for this method.
-
Click Test Connection.
- If a Test connection failed message displays, click OK to close the message, review and correct the connection details, and retest the connection. You cannot save the connection details if the connection test fails. If you cannot get the connection test to succeed, click Cancel to cancel the addition of these connection details, and seek further assistance.
- If, instead, the inventory beacon can successfully access the AWS APIs using the details supplied, a Test connection succeeded message displays. Click OK to close the message and click Save to add the connection to (or update it in) the list.
If the subsequent import does not provide the expected results, see Troubleshooting Your AWS Connection.
IT Asset Management (Cloud)
Current