Skip to main content

Discussion

 Sudheesh Mullankandy (SudheeshM8807)
Express Scripts

Express Scripts
US
SudheeshM8807 Member since 2018 1 post
Express Scripts
Posted: Mar 20, 2024
Last activity: Jun 18, 2024
Posted: 20 Mar 2024 17:23 EDT
Last activity: 18 Jun 2024 9:38 EDT

AWS Authentication Profile without IAM Credentials

I am trying to configure AWS S3 repository. In the repository rule, as yo know, we have to provide the AWS Auth Profile.  AWS Auth Profile requires AWS Access Key ID and Secret Access Key of IAM User.

Issue here is, our enterprise AWS account does not allow IAM users. Policy requires that all AWS logins must be federated thru IAM roles integrated with Okta/AD SSO.

How we can create AWS Authentication profile in Pega when Company policy does not allow creating IAM users?

One of the workaround we are tried was to get temporary access credentials (access key id and secret access key) using SAML2AWS (https://github.com/Versent/saml2aws).

Approach was to periodically refresh the Pega AWS Authentication profile with temporary credentials retrieved using SAML2AWS. However, AWS authentication is not working with temporary credentials. 

Any recommendation / best practices?

To see attachments, please log in.
Pega Platform 8.8
Data Integration

  • Reply
  • Devi Priya Venkatesan
Posted: 8 months ago
Posted: 20 Mar 2024 18:16 EDT
Brett Allen (BrettAllen)
PEGA
Principal Technical Architect
Pegasystems Inc.
US

@SudheeshM8807 If you're running on EKS this can be achieved.  You can create a repository using DSS instead of the Repository Rule form which allows you to skip the Authentication Profile.  

Pega-Engine storage/class/<storageDestAlias>:/type           aws-s3

Pega-Engine storage/class/<storageDestAlias>:/bucket       <your s3 bucket name>

Pega-Engine storage/class/<storageDestAlias>:/rootpath    <existing folder or prefix within s3 bucket>

 

The pods need to run using a service account that can use OIDC to assume an IAM role that can access the bucket.  This takes a fair bit of configuration on the AWS side, you will need someone with the expertise needed to set up your cluster and IAM.

To see attachments, please log in.
Posted: 5 months ago
Updated: 5 months ago
Posted: 18 Jun 2024 9:11 EDT
Updated: 18 Jun 2024 9:38 EDT
Kanneeswaran Kotteswaran (KanneeswaranK17088174)
ING Bank

ING Bank
NL

@SudheeshM8807 This is exactly similar to BrettAllen's response, try if this works

 

1. Grant EC2 service account (which runs pega service) have the relevant IAM role to read/write the S3 bucket (mys3bucketname)

2. Create a DSS DSS

 

3. Repository "myrepository" will be created Repository

4. This repository doesn't need any authentication profile and runs on top of the EC2 service account privilege(which has relavant IAM roles for the S3 bucket which you want to access)

To see attachments, please log in.

Related content:

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice