Integrate with AWS Role Delegation
This section describes how to:
configure Sysdig Monitor to utilize the Amazon Web Service (AWS) AssumeRole functionality
authorize Sysdig Monitor to:
- discover cloud assets
- grab CloudWatch metrics from your AWS account
- utilize custom Simple Storage Service (S3) buckets for storing captures
Upon integrating with an AWS role, you can delegate access to AWS resources that are not associated with your Sysdig AWS account.
Setting up cross-account access through roles eliminates the need to create individual Identity Access Management (IAM) users in each account. In addition, users don’t have to sign out of one account and sign in to another in order to access resources in different AWS accounts.
Role delegation is an alternative to the existing integration method of using the access keys. This method is considered more secure as sharing developer access keys with third-parties is not recommended by Amazon.
Prerequisites and Guidelines
This topic assumes that you you arefamiliar with AWS and have the following ready:
Sysdig Monitor API Token
API endpoint. In this topic, it is referred to as
{{host}}SaaS: See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, in US East, the endpoints are:
Monitor: https://app.sysdigcloud.com
Secure: https://secure.sysdig.com
For other regions, the format is
https://<region>.app.sysdig.com. Replace<region>with the region where your Sysdig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.On-Prem: Depends on the on-prem deployment.
Administrator privileges to configure AWS integration
API client. Examples in this topic use
curlAWS account ID
SaaS: The default AWS account ID is
273107874544(US East region). For other regions, check AWS account IDs .On-Prem: Customer-specific.
Enable AWS Role Delegation with API
This section describes how to enable AWS role delegation using an API with an Amazon Resource Name (ARN).
Instructions for SaaS
Instructions for On-Prem
Get Your External ID
Retrieve your external ID as follows:
curl -k --request GET \
--url host/api/users/me \
--header 'authorization: Bearer e71d7c0f-501e-47d4-a159-39da8b716f44' | jq '.[] | .customer | .externalId'
An example External ID from the response will be
04acdd59-4c98-4d11-8ee5-424326248161.
Configure Role Delegation
Integrating the Sysdig Platform with Amazon Web Services requires configuring role delegation using AWS IAM.
Create a new role in the AWS IAM Console:
For the role type, select Another AWS account.
(SaaS) Enter the Sysdig account ID for Account ID.
This means that you are granting read-only access to your AWS data.
Select Require external ID and enter the one you retrieved in the previous step. Leave Multi-Factor Authorisation (MFA) disabled.
Click Next: Permissions.
Create the following policies:
sysdig_cloudwatch: Gives access to the list and describe supported AWS resources and get CloudWatch metrics for them.sysdig_s3: Defines the bucket name where you wish to store the captures.For more information on policies, see IAM Policy Code to Use.
For detailed instructions on how to create a policy, see Integrate AWS Account Manually.
If a policy has already been created, search for it on this page and select it, then skip to the next step. Otherwise, click Create Policy, which opens in a new window.
Click Review policy.
Name the policy and provide an apt description, for example, “sysdig_cloudwatch”.
Click Create Policy.
You can now close this window.
In the Create role window, refresh the list of policies and select the policies you just created.
Click Next: Review.
Give the role a name and an apt description, for example, “sysdig_role”.
Click Create Role.
Get Role ARN
Select Roles > sysdig-role.
Copy Role ARN.
Add the AWS Account
Using the role that you have created, add an AWS account on the Sysdig Monitor side. Use the following API call:
curl --request POST \
--url {{host}}/api/providers \
--header 'authorization: Bearer e71d7c0f-501e-47d4-a159-39da8b716f44' \
--header 'content-type: application/json' \
--data '{"name": "aws","credentials": {"role": "<Role_ARN>"},"alias": "role_delegation"}'
Replace <Role_ARN> with the one that you have copied in the previous
section.
The response lists all the providers. An example response is given below:
{
"provider": {
"id": 7,
"name": "aws",
"credentials": {
"id": "role_delegation",
"role": "arn:aws:iam::485365068658:role/sysdig-access3"
},
"tags": [],
"status": {
"status": "configured",
"lastUpdate": null,
"percentage": 0,
"lastProviderMessages": []
},
"alias": "role_delegation"
}
}
Verify the role delegation has been created.
Log in to Sysdig Monitor as an administrator.
Do one of the following:
Select Integrations > AWS CloudWatch.
From the user menu, select Settings > AWS.
The role that you have been created will be added to the list of AWS Accounts.
Proceed to enable CloudWatch and AWS S3 bucket.
See AWS: Integrate AWS Account and CloudWatch Metrics (Legacy) for more information.
Additional Configuration for On-Prem
Create an AWS user that will be used to fetch temporary credentials.
Assign a policy to the user to allow AssumeRole. For example:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::{ACCOUNT-ID}:role/{ROLE_NAME}*" } }Make the access keys available to users from one of the sources:
Environment variables
Java system properties
Instance profile credentials delivered through the Amazon EC2 metadata service.
EC2 metadata service is recommended if the installation is on AWS.
Example: Set Environment Variables on a Kubernetes Installation
Create Secret:
apiVersion: v1 kind: Secret metadata: name: aws-credentials type: Opaque data: aws.accessKey: {{BASE64_ENCODED_ACCESS_KEY_ID}} aws.secretKey: {{BASE64_ENCODED_ACCESS_KEY_SECRET}}Expose variables in deployment descriptors (
sysdigcloud-collector,sysdigcloud-worker,sysdigcloud-api) and reference values in the newly created Secret:- name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: key: aws.accessKey name: aws-credentials - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: key: aws.secretKey name: aws-credentialsAdd variables to descriptors on each platform update until new variables are part of the installer.
Set Up Resource Discovery
The supported AWS are EC2, RDS, Elastic Load Balancer (ELB), ElastiCache, Simple Queue Service (SQS), DynamoDB, and Application Load Balancer (ALB).
By default, all the resources are fetched for all regions supported by AWS. You can avoid this by whitelisting regions when creating a provider key via the API. Example body of the provider key request when whitelisting regions:
{
"name": "aws",
"credentials": {
"role": "arn:aws:iam::676966947806:role/test-assume-role"
},
"additionalOptions": "{\"regions\":[\"US_EAST_1\",\"US_EAST_2\"]}"
}
Enable AWS Role Delegation with UI
Use the AWS option in the Settings menu to configure AWS role delegation.
Log in to Sysdig Monitor as an administrator.
Do one of the following:
Select Integrations > AWS CloudWatch.
From the user menu, select Settings > AWS.
The AWS Account page is displayed.
Click Add Accounts.
The Identity Authentication page opens to the Role Delegation tab.
Specify the following:
Role ARN: The Role ARN associated with the role you have created for role delegation. The ID is available on the summary page of the role on the AWS console. For more information, see Integrate with AWS Role Delegation.
AWS External ID: Ensure that AWS External ID is displayed on the page.
SaaS: For account IDs corresponding to your region, see SaaS Regions and IP Ranges
On-Prem: Customer-specific.
Click Save.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.