search

EC2 Cloud Connector

Retrieve Cloud Connector Secrets from KSM

hashtag
About

You can store SSH Keys and Windows passwords in your Keeper vault for connecting to EC2 instances alongside the KCM Cloud Connector.

See the AWS EC2 Discovery documentation for more details on connecting KCM with AWS EC2 instances.

hashtag
Setup

hashtag
Enable

The feature must first be enabled using either the Docker environment variable or the guacamole properties.

hashtag
Docker Environment Variable

For Auto Docker Install and Docker Compose Install methods, in the keeper/guacamole-db-mysql image, a new environmental variable must be defined:

AWS_DISCOVERY_KSM_CONFIG

This must contain a Keeper Secrets Manager configuration. It can be the same config used with the KSM_CONFIG variable.

For example:

For Advanced Linux Install method, update the guacamole.properties file.

Property Name
Default Value
Description

aws-discovery-ksm-config

false

Enable the use of Cloud Connect credentials from KSM connected vaults

hashtag
Remove volume mount for PEM key files

If you are using Keeper to store the PEM key files, you can remove the volume mount in the Docker Compose file that references the location /var/lib/guac_keys/ as this will not be used.

hashtag
Configure a Record for use with Cloud Connect

The EC2 cloud connector recognizes Keeper records with specific fields automatically.

To create a record for use with the EC2 Cloud connector, you can either create a record that contains a pem file attachment containing your key, or a record that contains the key as text.

hashtag
PEM File Record

Create a new record which will contain the pem file. The File Attachment record type is a good match, but any type other than General will work.

The record can have any title, In this example we're using "AWS key: my-machine"

Create a new record to attach your pem file to

With the record created, attach the pem file.

Attach your pem file to the new record
circle-info

Optionally, if you include a Hostname/IP and Port field in your record, KCM will automatically associate the pem file with EC2 connections having a matching Hostname/IP.

Lastly, ensure that the new record is in a shared folder that is accessible to KCM via the Secrets Manager vault connection.

Move the new record to a shared folder attached to Secrets Manager

hashtag
Private Key Record

Create a new record which will contain your machine's private key. The record is required to have a "private key" field. The SSH standard record type can be used for this.

The record can have any title.

Create a new record with a private key field (standard SSH type works)

The new record will need a custom text field named "Instance ID". Add a "Text" type custom field from the Custom Field menu, click "Edit Label" and enter "Instance ID".

circle-info

The Instance ID field can also be titled anything which begins with "AWS" or "EC2"

Add a custom text field labeled "ID Instance"

With the record ready, enter your machine's private key into the Private Key field, and your AWS instance ID in the new custom field.

Lastly, make sure that the record is in a shared folder that is accessible to KCM via Secrets Manager integration.

Fill in the record details and place the record in a Secrets Manager accessible shared folder
circle-info

Optionally, if you include a Hostname and Port field in your record, KCM will automatically associate the private key with EC2 connections with a matching IP address

circle-check

The record is now complete, and will be picked up automatically by KCM if the feature is enabled.

PreviousMultiple Vaults IntegrationNextAdvanced

Last updated

Was this helpful?