This guide is intended for admins managing a Connector in the environment
📘 You have chosen the advanced installation method
You can also easily connect AWS in Apono following this UI guide here
Required CLI: terraform
Login to Apono and create connector in the Connector Page
Important: before you start, copy the connector Terraform params and export them in the terminal.
** if you already use your own providers, you can skip this step
Run terraform init to validate it works
It's required that your EKS cluster OIDC provider will be added to your IAM. This step is required only once, and you may have already done it.
The Connector is deployed using helm and requires an IAM Role to be able to access tagged ASM secrets in the future.
You can validate the Connector is installed in the Connector status page.
How to install a Connector on an AWS account to integrate an AWS Account or Organization with Apono
To integrate with AWS and start managing JIT access to AWS cloud resources, you must first install a connector in your AWS environment.
The connector should match the level of access management you want to achieve with Apono: on a single account or on the entire organization.
To manage access to a single AWS account, install a connector on that account. Follow this guide.
To manage access to all the accounts in the AWS organization:
Install a connector on the management account. Follow this guide. OR
Install a connector in any account with ECS or EKS and give it delegated permissions to the management account. Follow this guide.
What's a connector? What makes it so secure?
The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal security.
Read more about the recommended AWS Installation Architecture.
First, decide if you want to integrate Apono with a specific AWS Account or with the entire Organization (containing multiple Accounts).
Now, follow one of the guides below depending on your selection:
Administrator permissions to the AWS account you want to connect.
VPC with outbound connectivity
Login to the Apono platform
Go to the Apono Integrations page
From the Catalog, pick AWS
Install a new connector in AWS. Read more here.
Choose Cloudformation
Click "Open Cloud Formation"
Sign in to your AWS user and click Next
Within the AWS create stack page, scroll down
Make sure you pick at least one Subnet and one VPC from the dropdown lists
Tick the acknowledge box and then select Create Stack
Apono integrates with AWS natively, using AWS CloudFormation as a standard mechanism to deploy all required configurations including a Cross Account Role with Read permission, a SNS notification message, and the Apono Connector that runs using an AWS ECS on Fargate.
Administrator permissions to the AWS management account in the Organization.
VPC with outbound connectivity.
Login to the Apono platform
Go to the Apono Integrations page
From the Catalog, pick AWS
Click "Open Cloud Formation"
Sign in to your AWS user and click Next
The new stack should be installed in the management account (which manages the organization's Identity Center)
Within the AWS create stack page, scroll down
Make sure you pick at least one Subnet and one VPC from the dropdown lists
Tick the acknowledge box and then select Create Stack
Apono integrates with AWS natively, using AWS CloudFormation as a standard mechanism to deploy all required configurations including a Cross Account Role with Read permission, a SNS notification message, and the Apono Connector that runs using an AWS ECS on Fargate.
Verify that "trusted access" is activated for your organization. Read more here.
Administrator permissions to the AWS management account in the Organization
For EKS: admin permissions on the cluster
Using CloudFormation (ECS)
Open the CloudFormation in the member account you want to deploy at.
Fill the SubnetIDs, VpcId parameters
Create stack, and wait to finish
Copy the connector role from the "Outputs" tab
Using Helm (EKS)
Create an AWS role for the connector. Follow step 3 in this guide.
Set the following environment variables, to set the AWS Role for the connector deployed in EKS.
Where:
AWS_ACCOUNT_ID is the account where the EKS deployment is hosted
AWS_ROLE_NAME is the role defined for the connector in step 1
CONNECTOR_TOKEN is the token generated in the Apono UI when creating a new connector
[block:image] { "images": [ { "image": [ "https://files.readme.io/78e94c2-image.png", null, "" ], "align": "center", "sizing": "300px" } ] } [/block]
CONNECTOR_ID is the connector name. Set any name of your choosing.
Run the following helm command to deploy the connector
Copy the role given to the connector (arn:aws:iam::$AWS_ACCOUNT_ID:role/$AWS_ROLE_NAME)
Interested in HA for the connector?
Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:
--set-string replicaCount=<number_of_replicas>
Read more here.
Open CloudFormation in the AWS Management account using this link.
In "ConnectorRoleArn" parameter, paste the connector role from the previous step.
Fill the "OrganizationalUnitId" parameter.
Create stack, and wait to finish.
Copy the Management Account Role ARN from the "Outputs" tab.
Verify that the Stackset was created successfully and that Cloudformation finished.
Then, In the Apono app, you will see the connector was found and a green checkmark indication.
Hurray!
You can now integrate an AWS Account or Organization!
Create a connector on Amazon Elastic Container Service
Connectors are secure on-prem components that link Apono and your resources:
No secrets are read, cached, or stored.
No account admin privileges need to be granted to Apono.
The connector contacts your secret store or key vault to sync data or provision access.
Once set up, this connector will enable you to sync data from cloud applications and grant and revoke access permissions through Amazon Elastic Container Service (ECS).
| Item | Description |
|---|---|
Use the following steps to install an Apono connector for AWS on ECS:
At the shell prompt, define an environment variable named TF_VAR_APONO_TOKEN with your Apono token value.
In a new or existing Terraform (.tf) file, add the following provider and module information to create a connector with permissions or without permissions.
When using the following snippets, be sure to use the correct value for assignPublicIp:
true: Set when a subnet has an Internet Gateway
false: Set shen a subnet has a NAT Gateway
Enables installing the connector in the cloud environment and managing access to resources, such as Amazon RDS, S3 buckets, EC2 machines, and self-hosted databases
Enables installing the connector in the cloud environment but managing access to non-AWS resources, such as self-hosted databases
At the Terraform CLI, download and install the provider plugin and module.
Apply the Terraform changes. The proposed changes and a confirmation prompt will be listed.
Enter yes to confirm deploying the changes to your AWS account.
On the Connectors page, verify that the connector has been deployed.
Learn how to update a connector through the AWS CLI
Periodically, you may need to update your AWS connector to help maintain functionality, performance, and security.
This article explains how to update a connector through the AWS CLI and redeploy the CloudFormation stack with the latest connector template.
| Item | Description |
|---|
Follow these steps to update a connector:
Copy the following Account level or Organization level AWS update script. Be sure to replace AWS_STACK_NAME with your AWS stack name.
Be sure to replace AWS_PROFILE and AWS_SERVER_REGION with your profile and region values.
At your AWS CLI prompt, enter the updated script from the previous step to initiate the update. The AWS CLI will return an object containing the StackId.
In CloudFormation, on the Stack Info tab, confirm that the update has completed:
Under the Stack name column, click the stack name.
On the Stack info tab, check the Status.
This section details common errors that can occur during the updating process. If an error occurs that is not listed below, please contact your Apono representative.
Pick Account
Choose the desired deployment method
Pick Organization
Choose Cloudformation
If you have not defined a default region and , you must specify the region and profile in the script:
Go to the page. A list of the stacks in the account are displayed.
Locate and copy the stack name under the Stack name column of the page.
Repeat the .
AdminstratorAccess Role
AWS role that provides full access to AWS services and resources
Apono Token
Account-specific Apono authentication value Use the following steps to obtain your token:
On the Connectors page, click Install Connector. The Install Connector page appears.
Click AWS > Install and Connect AWS Account. > Terraform (ECS).
Copy the token in step listed on the page in step 1.
Virtual Private Cloud (VPC) ID
Unique identifier for a virtual network dedicated to an AWS account
Subnet IDs
Unique identifier for a specific subnet within a VPC
Terraform CLI
HashiCorp's tool for provisioning and managing infrastructure
AWS Stack Name | In AWS CloudFormation, name of a collection of AWS resources managed as a single unit Use the following steps to retrieve the stack name:
|
AWS Command Line Interface (AWS CLI) |
AWS Permissions |
Go to the page.
enabling interaction with AWS services using your command-line shell
enabling the ability to update the stack via AWS CLI
