Installing cloud plugins
Each cloud plugin has a specific installation task on BES Support, which becomes relevant on computers where the Plugin Portal is installed.
The task can be run only after filling in all required fields in the Description tab.
Only Master Operators (MO) are allowed to install cloud plugins.
The advanced configuration for all cloud plugins can be done using the WebUI.
Amazon Web Services plugin
- Account Label
- A friendly name for the specified
Access Key ID/Secret Access Keypair. It must contain only alphanumeric characters. - Default region name
-
It is the name of the AWS region to which the plugin must initially connect to when it performs a discovery. For instance, if you want the plugin to start its discoveries connecting to the Europe (Frankfurt) region, the value to specify is
eu-central-1. The plugin will, then, automatically complete its discoveries by connecting to all other regions that the specifiedAccess Key ID/Secret Access Keypair can access.Note:- The field is case sensitive, ensure that you input the string with the correct case as documented by AWS.
- When adding a new
Access Key ID/Secret Access Keypair, the BigFix WebUI allows to optionally specify a user region value, which for the specified key pair would prevail on the default region.
For more information about available regions, refer to the AWS documentation.
When installing the AWS plugin, you can specify the allowed regions. For more details about how to limit the AWS regions, see Limit AWS Regions to restrict the scope of device discovery.
- Access Key ID and Secret Access Key
-
An
Access Key ID/Secret Access Keypair associated to an IAM user.Requirements for the IAM user:
- MFA must NOT be enabled
- Must have programmatic access type
- Must have the following permissions at minimum: action "ec2:Describe*"
allowed on resource "*"
- A suitable predefined AWS policy is AmazonEC2ReadOnlyAccess
For more information about AWS access keys, refer to the AWS documentation.
- IAM Roles
-
An ARN / Region / External ID triple associated to an IAM Role.
Starting from cloud plugin version 1.4, released concurrently with BigFix v10.0 Patch 4, IAM roles are supported. An IAM role is an identity that has a set of assigned permissions and it can be assumed temporarily by any trusted user, including an administrative user, depending on your business needs. Roles do not have credentials and as such they are not subject to password expiration. When assuming a role, the logged on user requests temporary credentials for a certain limited amount of time which cannot be bigger than the maximum amount of time assigned by the administrative user.
Note: If you decide to use IAM roles, ensure that the users assuming the role are authorized to perform
sts:AssumeRoleon the roles.Note: The roles completely replace the users assuming them, which means that each operation managed by the users is performed by the roles and that the roles must have the same permissions which would be required for a user managing the cloud plugins.
Note: Once AWS Roles are inserted, the AWS plugin will use them during its discovery, instead of the credential from which they derive. You must ensure that these roles include all the AWS devices that you want to discover in your cloud environment: otherwise, some machines may not be discovered.You have to specify the following information:
An
ARN/Region/External IDtriple associated to an IAM Role.Where:- ARN
- Is the Amazon Resource Name of the role, which is the unique identifier of a
resource on AWS.
For more information about ARNs, refer to the AWS documentation.
- Region
- (Optional): Is the default AWS region for the IAM role. See the Default region name section for more information. When adding a new IAM role, BigFix allows you to optionally specify a role region value, which prevails on both the default region and the user region for the specified role.
- External ID
- (Optional): If you need to delegate access to AWS resources to a third
party, an IAM role can be used along with an external ID, devised for the
purpose of accessing and using the cloud environment resources and services by
the third party. The external ID must be provided to the third party by
the organization that owns the environment and should be a GUID.
For more information about external IDs, refer to the AWS documentation.
- HTTP Proxy
- Optionally, an HTTP proxy may be specified in case the system where the AWS plugin will be installed does not have a direct connection to the Internet. For supported proxy authentication methods, refer to the AWS documentation.
Microsoft Azure plugin
- Account Label
- A friendly name for the specified service principal quartet. It must contain only alphanumeric characters.
- Client ID, Password, Subscription ID and Tenant ID
- A service principal quartet. Requirements for the service principal:
- Must be assigned the built-in Reader role.
- MFA must NOT be enabled.
For more information about Microsoft Azure service principals, refer to the Microsoft Azure documentation.
VMware plugin
- Account Label
- A friendly name for the specified username-password pair. It must contain only alphanumeric characters.
- vCenter Server
- The hostname or IP address of the vCenter server.
- User name and Password
- The credentials to access the vCenter server.
Google Cloud Platform plugin
- Account Label
- A friendly name for the specified Service Account credentials. It must contain only alphanumeric characters.
- Service Account Credentials
- Copy and paste the content of the .json file provided by Google containing the keys of
your Service Account. The IAM permissions required are:
- compute.zones.list
- compute.regions.list
- compute.instances.list
- compute.images.list
- compute.disks.list
- compute.machineTypes.list
- compute.subnetworks.list
For more information about Google Cloud Platform service accounts, refer to the Google documentation.