Hi, I'm Ask INFA!
What would you like to know?
ASK INFAPreview
Please to access Ask INFA.
Communities
A collaborative platform to connect and grow with like-minded Informaticans across the globe
Product Communities
Connect and collaborate with Informatica experts and champions
Discussions
Have a question? Start a Discussion and get immediate answers you are looking for
User Groups
Customer-organized groups that meet online and in-person. Join today to network, share ideas, and get tips on how to get the most out of Informatica
Get Started
Community Guidelines
Knowledge Center
Troubleshooting documents, product guides, how to videos, best practices, and more
Knowledge Base
One-stop self-service portal for solutions, FAQs, Whitepapers, How Tos, Videos, and more
Support TV
Video channel for step-by-step instructions to use our products, best practices, troubleshooting tips, and much more
Documentation
Information library of the latest product documents
Velocity (Best Practices)
Best practices and use cases from the Implementation team
Learn
Rich resources to help you leverage full capabilities of our products
Trainings
Role-based training programs for the best ROI
Certifications
Get certified on Informatica products. Free, Foundation, or Professional
Product Learning Paths
Free and unlimited modules based on your expertise level and journey
Resources
Library of content to help you leverage the best of Informatica products
Tech Tuesdays Webinars
Most popular webinars on product architecture, best practices, and more
Product Availability Matrix
Product Availability Matrix statements of Informatica products
SupportFlash
Monthly support newsletter
Support Documents
Informatica Support Guide and Statements, Quick Start Guides, and Cloud Product Description Schedule
Product Lifecycle
End of Life statements of Informatica products
Ideas
Events
Change Request Tracking
Marketplace
English
  • Data Ingestion and Replication
  • All Products

Table of Contents

Search

  1. Preface
  2. Connectors and Connections
  3. Data Ingestion and Replication connectors
  4. Data Ingestion and Replication connection properties

Connectors and Connections

Connectors and Connections

Back Next

IAM Roles Anywhere authentication

IAM Roles Anywhere authentication

You can configure AWS IAM Roles Anywhere authentication to generate temporary security credentials to securely access Amazon S3 resources from your servers, applications, or containers outside of AWS using X.509 certificates instead of long-term credentials.
You need to complete certain prerequisites such as creating a CA certificate, generating temporary credentials, and creating a credential profile file to configure IAM Roles Anywhere authentication.
The credential profile file must include the ARNs for the trust anchor, profile, and IAM role, as well as the file paths for the CA certificate and private key.
Complete the following prerequisites to use IAM Roles Anywhere authentication:
  1. Set up a Certificate Authority.
    Use AWS Private Certificate Authority to create a certificate authority and install a CA certificate to activate the certificate authority.
  2. Configure IAM Roles Anywhere.
    1. In IAM Roles Anywhere, create a Trust Anchor using the certificate authority that you created.
    2. Create an IAM role with the minimal S3 permissions and a trust policy that allows IAM Roles Anywhere to assume it.
    3. Create a profile in the IAM Roles Anywhere console, linking the IAM role to the trust anchor.
  3. Generate and download the certificate.
    1. In AWS Certificate Manager, request and obtain a private certificate associated with your certificate authority.
    2. Download and export the certificate body, certificate chain, and certificate private key.
    3. Decrypt the private key using OpenSSL.
    4. Place the private key, decrypted private key, and the certificate in a local directory.
  4. Install IAM credentials helper and use the
    aws_signing_helper
     tool to request temporary credentials through the CreateSession API.
  5. Create an AWS credentials file with the profile details including ARNs and paths to certificate and key files.
    Specify the following parameters in the credential profile file:
    • <agent_loc>\aws_signing_helper.exe
      . The path to the AWS Credentials Helper tool.
    • --certificate <agent_loc>\certificate.pem
      . The path to the X.509 certificate file. This certificate is used to authenticate the identity requesting temporary credentials from IAM Roles Anywhere.
    • --private-key <agent_loc>\decrypted_private_key.pem
      . The path to the decrypted private key corresponding to the certificate.
    • --trust-anchor-arn <arn of trust anchor>
      . The Amazon Resource Name (ARN) of the trust anchor that establishes trust between IAM Roles Anywhere and the certificate authority.
    • --profile-arn <arn of profile>
      . The ARN of the profile configured in IAM Roles Anywhere. Profiles specify which IAM roles can be assumed and what operations can be performed with the temporary security credentials issued.
    • --role-arn <arn of role>
      . The ARN of the IAM role that the credentials helper assumes.
    • --session-duration <time in seconds>
      . The duration during which the temporary session credentials is valid. This parameter is optional.
    The following sample shows a credential profile file: 
    
[profile_name]
credential_process = <Secure Agent installation drirectory>\aws_signing_helper.exe credential-process --certificate <agent_loc>\certificate.pem --private-key <agent_loc>\decrypted_private_key.pem --trust-anchor-arn <arn of trust anchor> --profile-arn <arn of profile> --role-arn <arn of role> --session-duration <time in seconds>
When you create an Amazon S3 V2 connection, in the
Other Authentication Type
 field, select
Credentials Profile File authentication
, and then specify the credential profile file path and profile name.

Rules for credential profile file

Consider the following rules for a credential profile file:
  • The credential profile file must be on the Secure Agent machine.
  • The credential profile file must have a
    .credentials
     extension.
  • If you do not specify the credential profile path, the Secure Agent uses the credential profile file present in the following default location in the home directory:
    ~/.aws/credentials
    On Windows, you can refer to your home directory by using the environment variable
    %UserProfile%
    . On Unix-like systems, you can use the environment variable
    $HOME
    .
For more information on how to configure IAM Roles Anywhere authentication, see the AWS documentation.
0 COMMENTS
We’d like to hear from you!