EC2 Cloud Connector
Retrieve Cloud Connector Secrets from KSM
Last updated
Retrieve Cloud Connector Secrets from KSM
Last updated
You can store SSH Keys and Windows passwords in your Keeper vault for connecting to EC2 instances alongside the KCM Cloud Connector.
See the AWS EC2 Discovery documentation for more details on connecting KCM with AWS EC2 instances.
The feature must first be enabled using either the Docker environment variable or the guacamole properties.
For Auto Docker Install and Docker Compose Install methods, in the keeper/guacamole-db-mysql
image, a new environmental variable must be defined:
AWS_DISCOVERY_KSM_CONFIG
This must contain a Keeper Secrets Manager configuration. It can be the same config used with the KSM_CONFIG
variable.
For example:
For Advanced Linux Install method, update the guacamole.properties file.
If you are using Keeper to store the PEM key files, you can remove the volume mount in the Docker Compose file that references the location /var/lib/guac_keys/
as this will not be used.
The EC2 cloud connector recognizes Keeper records with specific fields automatically.
To create a record for use with the EC2 Cloud connector, you can either create a record that contains a pem file attachment containing your key, or a record that contains the key as text.
Create a new record which will contain the pem file. The File Attachment record type is a good match, but any type other than General will work.
The record can have any title, In this example we're using "AWS key: my-machine"
With the record created, attach the pem file.
Optionally, if you include a Hostname/IP and Port field in your record, KCM will automatically associate the pem file with EC2 connections having a matching Hostname/IP.
Lastly, ensure that the new record is in a shared folder that is accessible to KCM via the Secrets Manager vault connection.
Create a new record which will contain your machine's private key. The record is required to have a "private key" field. The SSH standard record type can be used for this.
The record can have any title.
The new record will need a custom text field named "Instance ID". Add a "Text" type custom field from the Custom Field menu, click "Edit Label" and enter "Instance ID".
The Instance ID field can also be titled anything which begins with "AWS" or "EC2"
With the record ready, enter your machine's private key into the Private Key field, and your AWS instance ID in the new custom field.
Lastly, make sure that the record is in a shared folder that is accessible to KCM via Secrets Manager integration.
Optionally, if you include a Hostname and Port field in your record, KCM will automatically associate the private key with EC2 connections with a matching IP address
The record is now complete, and will be picked up automatically by KCM if the feature is enabled.
Property Name | Default Value | Description |
---|---|---|
aws-discovery-ksm-config
false
Enable the use of Cloud Connect credentials from KSM connected vaults