Creating Amazon credentials

You create Amazon credentials the same way you create other credential types. But it's helpful to consider a few things first.

First things first

Before you get started, consider the following:

  • Know which authentication method you plan to use: Local, ADFS, or EC2 Assigned Role. For more information, see About Amazon credentials.

  • Do you plan to use your new credential across multiple accounts ("cross-accounts")?

  • If you haven't already, create a user name credential for use with your new Amazon credential. You can do this during the following procedure, but having it created ahead of time will be faster.

  • Make sure you have View, Write, and Create permissions to the folder where you plan to create your new credential object.

    DID YOU KNOW?  In Aperture, permissions are controlled in the Permissions panel. For information about working with permissions in Aperture, see Assigning permissions to objects.

  1. From the TLS Protect menu bar, click Inventory > Credentials, and then click Create a New Credential.

  2. Click the Credential Type list and select Amazon.

  3. Click Folder and select the policy folder in which to create your new credential.

  4. In Credential Name, type a unique name for the new credential object, and then click Create and Configure.

  1. Click the Source list and select Local, EC2 Assigned Role, or ADFS, depending on which authentication method you need.

  2. (Conditional) If you selected Local from the Source list, then do the following:

    1. Type a password in the Access Key and Secret Key fields, respectively.

      You'll be required to retype them in each of the confirmation fields.

    2. (Optional) If you plan to use this new Amazon Credential to access multiple AWS accounts (using cross-accounts), then in Role Name or Role to Assume, type just the AWS role name you've set up in AWS (no need to enter the entire ARN).

      If you are using cross-accounts, see Authenticating to multiple AWS accounts using a single Amazon Credential.

    3. In cases where you need an External ID, you can type it here in the External ID field.

      The primary function of External ID is to address and prevent the "confused deputy" issue. The External ID makes it less likely that a non-Trust Protection Platform user can access the other AWS account. Without the External ID protection, any IAM user within the AWS account where the Trust Protection Platform user resides, would be able to access the other AWS accounts simply by knowing the name of the role in the other account. 

      When applying account credentials to provision a certificate, Amazon requires an External ID. The value must have a minimum of 2 characters and a maximum of 1,224 characters. The value must be alphanumeric without white spaces. It can also include the following symbols: plus (+), equal (=), comma (,), period (.), at (@), colon (:), forward slash (/), and hyphen (-).

      For more information, visit Amazon's article, How to Use an External ID When Granting Access to Your AWS Resources to a Third Party.

    4. When you're finished, click Save.

  3. (Conditional) If you selected ADFS from the Source drop-down list, then do the following:

    1. In the ADFS Username Credential field, select an Amazon credential.

      If you haven't yet created a user name credential for use with Amazon, click Create New Credential to define a new one, and then continue.

    2. In the Web Service URL field, type the full URL of your ADFS server.

    3. From the Role list, select the account that has the required permissions.

      DID YOU KNOW?  Each of the roles that appear in the Role list uses the following format:

      arn:aws:iam::AWSAccountNumber:role/RoleMappedToADgroupByADFS

      So, for example:

      arn:aws:iam::123423455678:role/MYCO-VenafiTPP

      For more information about setting up your federated sign-in through Active Directory (AD) and ADFS, visit https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/.

    4. When you're finished, click Save.

  4. (Conditional) If you selected EC2 Assigned Role from the Source drop-down list, just click Save to finish.

    When you select this option, Trust Protection Platform authenticates with permissions that are assigned to the EC2 server on which it is running.

    IMPORTANT  If you don't see this mode in the Source list, you don't have the proper permissions to use it. You must be either a master administrator, or you must request that you be added to the authorized identities list for using the AWS EC2 Assigned Role. To continue, contact a master administrator. See Authorizing the use of EC2 Assigned Role for Amazon credentials.