Installing cloud plugins

Each cloud plugin has a specific installation task on BES Support, which becomes relevant on computers where the Plugin Portal is installed.

Note: The last published version of the cloud plugins might require an up-to-date version of the Plugin Portal. Older plugins will continue to work properly with the new Plugin Portal.

The task can be run only after filling in all required fields in the Description tab.

Only Master Operators (MO) are allowed to install cloud plugins.

The advanced configuration for all cloud plugins can be done using the WebUI.

Amazon Web Services plugin

Account Label
A friendly name for the specified Access Key ID / Secret Access Key pair. It must contain only alphanumeric characters.
Default region name

It is the name of the AWS region to which the plugin must initially connect to when it performs a discovery. For instance, if you want the plugin to start its discoveries connecting to the Europe (Frankfurt) region, the value to specify is eu-central-1. The plugin will, then, automatically complete its discoveries by connecting to all other regions that the specified Access Key ID / Secret Access Key pair can access.

  • The field is case sensitive, ensure that you input the string with the correct case as documented by AWS.
  • When adding a new Access Key ID / Secret Access Key pair, the BigFix WebUI allows to optionally specify a user region value, which for the specified key pair would prevail on the default region.

For more information about available regions, refer to the AWS documentation.

When installing the AWS plugin, you can specify the allowed regions. For more details about how to limit the AWS regions, see Limit AWS Regions to restrict the scope of device discovery.

Access Key ID and Secret Access Key

An Access Key ID / Secret Access Key pair associated to an IAM user.

Requirements for the IAM user:

  • MFA must NOT be enabled
  • Must have programmatic access type
  • Must have the following permissions at minimum: action "ec2:Describe*" allowed on resource "*"
    • A suitable predefined AWS policy is AmazonEC2ReadOnlyAccess

For more information about AWS access keys, refer to the AWS documentation.

IAM Roles

An ARN / Region / External ID triple associated to an IAM Role.

Starting from cloud plugin version 1.4, released concurrently with BigFix v10.0 Patch 4, IAM roles are supported. An IAM role is an identity that has a set of assigned permissions and it can be assumed temporarily by any trusted user, including an administrative user, depending on your business needs. Roles do not have credentials and as such they are not subject to password expiration. When assuming a role, the logged on user requests temporary credentials for a certain limited amount of time which cannot be bigger than the maximum amount of time assigned by the administrative user.

Note: If you decide to use IAM roles, ensure that the users assuming the role are authorized to perform sts:AssumeRole on the roles.

Note: The roles completely replace the users assuming them, which means that each operation managed by the users is performed by the roles and that the roles must have the same permissions which would be required for a user managing the cloud plugins.

Note: Once AWS Roles are inserted, the AWS plugin will use them during its discovery, instead of the credential from which they derive. You must ensure that these roles include all the AWS devices that you want to discover in your cloud environment: otherwise, some machines may not be discovered.

You have to specify the following information:

An ARN / Region / External ID triple associated to an IAM Role.

Is the Amazon Resource Name of the role, which is the unique identifier of a resource on AWS.

For more information about ARNs, refer to the AWS documentation.

(Optional): Is the default AWS region for the IAM role. See the Default region name section for more information. When adding a new IAM role, BigFix allows you to optionally specify a role region value, which prevails on both the default region and the user region for the specified role.
External ID
(Optional): If you need to delegate access to AWS resources to a third party, an IAM role can be used along with an external ID, devised for the purpose of accessing and using the cloud environment resources and services by the third party. The external ID must be provided to the third party by the organization that owns the environment and should be a GUID.

For more information about external IDs, refer to the AWS documentation.

HTTP Proxy
Optionally, an HTTP proxy may be specified in case the system where the AWS plugin will be installed does not have a direct connection to the Internet. For supported proxy authentication methods, refer to the AWS documentation.

Microsoft Azure plugin

Account Label
A friendly name for the specified service principal quartet. It must contain only alphanumeric characters.
Client ID, Password, Subscription ID and Tenant ID
A service principal quartet. Requirements for the service principal:
  • Must be assigned the built-in Reader role.
  • MFA must NOT be enabled.

For more information about Microsoft Azure service principals, refer to the Microsoft Azure documentation.

VMware plugin

Account Label
A friendly name for the specified username-password pair. It must contain only alphanumeric characters.
vCenter Server
The hostname or IP address of the vCenter server.
User name and Password
The credentials to access the vCenter server.
Note: The VMware plugin uses the govmomi library and its compatibility defines with which version of vCenter the plugin is compliant. For more details, refer to the govmomi documentation.

Google Cloud Platform plugin

Account Label
A friendly name for the specified Service Account credentials. It must contain only alphanumeric characters.
Service Account Credentials
Copy and paste the content of the .json file provided by Google containing the keys of your Service Account. The IAM permissions required are:
  • compute.zones.list
  • compute.regions.list
  • compute.instances.list
  • compute.images.list
  • compute.disks.list
  • compute.machineTypes.list
  • compute.subnetworks.list
All these permissions are mandatory.

For more information about Google Cloud Platform service accounts, refer to the Google documentation.

Note: The Google Cloud Platform plugin will discover the VM instances belonging to the project(s) specified in the .json file(s) with which the plugin was configured. Starting from version 1.4 of the Google Cloud Platform plugin, you can manage all additional project(s) that your Service Account is able to list and has permissions on. To be able to list projects, the Resource Manager API must be enabled and the Service Account must be able to issue requests to it, which means having the resourcemanager.projects.get permission. For more information about listing projects, refer to the Google documentation.