Skip to main content

AWS Plugins

AWS Plugins

Overview

Process Automation integrates with Amazon Web Services (AWS) through a variety of plugins listed below. By integrating Process Automation with AWS, users can provide a centralized, self-service interface for both simple and complex tasks spanning multiple cloud environments.

Click to expand to see the full list of Process Automation plugins for AWS:

AWS Service TypePluginPlugin Type
AthenaQuery Athena TableJob Step
CloudWatchQuery CloudWatch logs On DemandJob Step
CloudWatchExecute Saved CloudWatch Logs QueryJob Step
CloudWatchCreate CloudWatch Log StreamJob Step
EC2Start EC2Job Step
EC2Restart EC2Job Step
EC2Delete EC2Job Step
EC2Create EC2 from SnapshotJob Step
EC2Update EC2 Autoscale GroupsJob Step
EC2EC2 Node SourceNode Source
ECSECS & Fargate Node SourceNode Source
ECSECS & Fargate Node ExecutorNode Executor
ECSExecute CommandJob Step
ECSStopped Task ErrorsJob Step
ECSStop TaskJob Step
ELBUnhealthy Target Group InstancesJob Step
LambdaExecute Lambda FunctionJob Step
LambdaExecute Custom-Code Lambda FunctionJob Step
RDSCheck Instance StatusJob Step
S3Copy Files from Local to S3 or S3 to localopen in new windowJob Step
S3List S3 objectsopen in new windowJob Step
S3Create an S3 Bucketopen in new windowJob Step
S3Move Files from Local to S3 or S3 to localopen in new windowJob Step
S3Delete an S3 Bucketopen in new windowJob Step
S3Sync Directories and S3 Prefixesopen in new windowJob Step
S3S3 Log StorageLog Storage
Secrets ManagerAWS Secrets ManagerKey Storage
Systems Manager (SSM)SSM Node ExecutorNode Executor
Systems Manager (SSM)SSM File Copier & ScriptsFile Copier
VPCConfigure Flow LogsJob Step
VPCEnable Network PeeringJob Step

Setup

The steps for integrating with AWS will vary depending on the product you are using:

Runbook Automation - Integration steps for Runbook Automation (Cloud) product.

Process Automation on EC2 - For Process Automation hosted on EC2
Process Automation on ECS - For Process Automation hosted on ECS

Access Key & Secret Key - For Process Automation or Runbook Automation when Access Keys are permitted.

Warning

Using the Access Key and Secret Key method is the least recommended approach for integrating with AWS and is the least secure. The other methods of integration are highly recommended in place of using Access Key and Secret Key.

AWS Integration for Runbook Automation

Runbook Automation can be integrated with one or more AWS Accounts using an IAM role with a Trust Relationship. More details on this authentication mechanism can be found in this AWS documentationopen in new window. Here is a diagram that outlines this setup process:

RBA Authentication Process with AWS
RBA Authentication Process with AWS

Steps for setting up the integration for the entire Runbook Automation instance or for individual projects are outlined below:

Part 1: In Runbook Automation:
To configure the AWS integration for the whole Runbook Automation instance:

  1. Click on the System Menu (gear icon) in the upper right.
  2. Click on System Configuration.
  3. Navigate to the AWS section and click on the Pencil Icon in the upper right.
  4. In the IAM Role Delegation section, copy the Account ID and External ID so that they may be used in subsequent steps: IAM AWS Auth
  5. Leave open this page so that the Role ARN can be filled in later.

To configure the AWS integration for an individual project:

  1. Navigate to Project Configuration within the specific project.
  2. Click on Edit Configuration then click on Plugins.
  3. Click on + Plugin Config and select AWS
  4. In the IAM Role Delegation section, copy the Account ID and External ID so that they may be used in subsequent steps. IAM AWS Auth
  5. Leave open this page so that the Role ARN can be filled in later.

Part 2: In AWS Console:

  1. Go to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/open in new window.
  2. In the navigation pane of the console, click Roles and then click Create New Role.
  3. For the Trusted Entity Type select AWS Account and then select Another AWS Account. Another AWS Account
  4. Paste in the AWS Account ID that was copied from Step 4 in the prior section into the Account ID field.
  5. Click on Require External ID.
  6. Paste in the External ID that was copied from Step 4 in the prior section into the External ID field.
  7. Click Next
  8. Select the Permissions Policies to attach to the role.

    Policy Selection

    The selection should align with the specific automation use-case tasks for Runbook Automation. For example, if Runbook Automation will be used to retrieve and push data to S3, then be sure to include a policy that include the s3:GetObject and s3:PutObject permissions.

  9. Assign the Role Name and optionally add a description. Do not modify the Select trusted entities section.
  10. Click Create Role.
  11. In the IAM Roles list, find and select the newly created IAM Role.
  12. Copy the ARN to be used in subsequent steps: IAM ARN

Part 3: In Runbook Automation:

  1. Paste the ARN copied from the prior section into the Role ARN field.
  2. Click Save to add this plugin configuration.
  3. Click Save to commit the configuration changes to the proejct.

The AWS authentication can be tested using the Validate Credentials Job step plugin. Otherwise, being using the rest of the AWS plugins that align with the permissions allocated to the IAM Role.

AWS Integration for Process Automation hosted on EC2

When self-hosting Process Automation on EC2, the recommended method for integrating with AWS is to assign an IAM role to the EC2 virtual-machines:

  1. Go to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/open in new window.
  2. In the navigation pane of the console, click Roles and then click Create New Role.
  3. For the Trusted Entity Type select AWS service.
  4. Under Common use cases select EC2 then click Next. Select Entity Type
  5. In the Permissions policies, select the permission-sets based on the plugins you intend to use.
  6. Specify a Role Name and a Description. Do not change the Select trusted entities.
  7. Click Create Role.
  8. Navigate to the EC2 console and click on Instances.
  9. Click on the EC2 (or multiple instances if running a clustered setup) and click on Actions -> Security -> Modify IAM Role: Modify IAM Role
  10. Click on Choose IAM Role and find the IAM Role you created in Step 6 then click Update IAM Role: Update IAM Role

Now that the IAM Role is attached to the EC2, use the following steps to define this authentication method in Process Automation:

System Level

  1. Click on the System Menu (gear icon) in the upper right.
  2. Click on System Configuration.
  3. Navigate to the AWS section and click on the Pencil Icon in the upper right.
  4. (Optional) Set a default Region to be used for all plugins.
  5. From the Credential Provider field dropdown, select EC2.
  6. Click Save in the lower right: EC2 Credential Provider - System Level

Project Level

  1. In the specific project, click on Project Settings in the lower left.
  2. Click on Edit Configuration then click on Plugins.
  3. Click on +PluginGroup.
  4. Select AWS from the list: AWS Select PluginGroup Project Level
  5. (Optional) Select the default Region to be used for all plugins within this project.
  6. From the Credential Provider field dropdown, select EC2.
  7. Click Save in the lower right.

Process Automation hosted on ECS

When self-hosting Process Automation on ECS, the recommended method for integrating with AWS is to assign an IAM role to the ECS Task Role:

  1. Go to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/open in new window.
  2. In the navigation pane of the console, click Roles and then click Create New Role.
  3. For the Trusted Entity Type select AWS service.
  4. Under Common use cases find Elastic Container Task in the dropdown under User cases for other AWS services: ECS IAM Role
  5. In the Permissions policies, select the permission-sets based on the plugins you intend to use.
  6. Specify a Role Name and a Description. Do not change the Select trusted entities.
  7. Click Create Role.
  8. Navigate to the ECS console and click on Task Definitions.
  9. Select the Task Definition used for Process Automation and Create new revision.
  10. Scroll down to the Environment section and select the role you created for the Task Role field: Assign IAM Role

Now that the IAM Role is attached to the ECS Task, use the following steps to define this authentication method in Process Automation:

System Level

  1. Click on the System Menu (gear icon) in the upper right.
  2. Click on System Configuration.
  3. Navigate to the AWS section and click on the Pencil Icon in the upper right.
  4. (Optional) Set a default Region to be used for all plugins.
  5. From the Credential Provider field dropdown, select ECS.
  6. Click Save in the lower right: EC2 Credential Provider - System Level

Project Level

  1. In the specific project, click on Project Settings in the lower left.
  2. Click on Edit Configuration then click on Plugins.
  3. Click on +PluginGroup.
  4. Select AWS from the list: AWS Select PluginGroup Project Level
  5. (Optional) Select the default Region to be used for all plugins within this project.
  6. From the Credential Provider field dropdown, select ECS.
  7. Click Save in the lower right.

Alternative AWS Authentication: Access Key & Secret Key

  1. Create an AWS Access Key and Secret Key that is associated with an IAM Role, follow these instructionsopen in new window.
  2. Once the keys have been downloaded, add the Secret Key into Project or System Key Storage using the Password key type, following these instructionsopen in new window.

    Tip

    If using a third party credential-store, such as Hashicorp Vaultopen in new window, then skip step 2.

Now that the AWS Secret Key has been added to Key Storage, use the following steps to configure authentication for either the entire system or for a specific project:

System Level

  1. Click on the System Menu (gear icon) in the upper right.
  2. Click on System Configuration.
  3. Navigate to the AWS section and click on the Pencil Icon in the upper right.
  4. Click the Select button next to Key Storage Password and find the AWS Secret that was saved in step 2 above.
  5. Place your AWS Access Key into the Access Key ID field.
  6. (Optional) Set a default Region to be used for all plugins AWS Secrets Config System Level
  7. Click Save in the lower right.

Project Level

  1. In the specific project, click on Project Settings in the lower left.
  2. Click on Edit Configuration then click on Plugins.
  3. Click on +PluginGroup.
  4. Select AWS from the list: AWS Select PluginGroup Project Level
  5. Click the Select button next to Key Storage Password and find the AWS Secret that was saved in step 2 above.
  6. Place your AWS Access Key into the Access Key ID field.
  7. (Optional) Select the default Region to be used for all plugins within this project.
  8. Click Save in the lower right.