Set up AWS Connector

After this setup, you can start using all the AWS Connector AWS Connector actions in your workflow.

Prerequisites

  • Permission to configure an Identity Provider and a role in AWS IAM.

  • The user needs the Dynatrace default policy AppEngine - Admin to install AWS Connector, add a connection, configure the outbound connections, and authenticate with AWS. In detail, the following permissions are needed:

    ALLOW app-engine:apps:install;
    ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:hyperscaler-authentication.aws.connection";
    ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:dt-javascript-runtime.allowed-outbound-connections";
    ALLOW hyperscaler-authentication:aws:authenticate;

Steps

Step 1

Install AWS Connector

Step 2

Configure AWS IAM

Step 3

Set up an AWS Connection

Step 4

Add a host to the Allow-list in Limit outbound connections

Step 5

Grant permissions to Workflows

Step 1 Install AWS Connector

To use the AWS Connector actions, you need to install AWS Connector from Dynatrace Hub.

  1. In Dynatrace Hub Hub, select AWS.
  2. Select Install.

Step 2 Configure AWS IAM

The AWS Connector actions use OpenID Connect (OIDC) to authenticate with AWS, allowing them to access AWS resources. To configure AWS IAM

  1. Add a new Identity Provider.
  2. Add an AWS role.

Add a new Identity Provider

Add a new Identity Provider to AWS IAM using Dynatrace OIDC as a federated identity. Therefore, use the following parameters:

Parameter
Value
Identity Provider URL
https://token.dynatrace.com
Identity Provider Audience
Has to match the pattern <tenant-domain>/app-id/dynatrace.aws.connector

For example, the correct audience for the tenant abc12345 would be abc12345.apps.dynatrace.com/app-id/dynatrace.aws.connector.

Add an IAM role

Add a new IAM role to AWS IAM that is assumed when using the AWS connection in the Dynatrace workflow.

  • Use the previously created Identity Provider as a trusted entity.
  • Attach permission policies to the role or create an inline permission policy containing the required permissions.

Example code for the trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::000000000000:oidc-provider/token.dynatrace.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.dynatrace.com:aud": "<your-tenant>/app-id/dynatrace.aws.connector",
                    "token.dynatrace.com:sub": "dtid:connection/<your-connection-name>"
                }
            }
        }
    ]
}

We highly recommend adding the condition key "token.dynatrace.com:sub": "dtid:connection/<your-connection-name>" in your trust policy for limiting which Dynatrace connection is allowed to assume the role. Replace <your-connection-name> with the name of the connection that you'll create in the following step.

We recommend applying the principle of least privilege when defining the Role and adding only the necessary permissions.

The AWS Connector actions list AWS regions where the workflow action can operate. The IAM role needs the action account:ListRegions in its policy to list the available regions.

Here is an example of an inline policy:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "account:ListRegions",
			"Resource": "*"
		}
	]
}

Step 3 Set up an AWS Connection

Set up an AWS Connection to authenticate with AWS

  1. Go to Settings and select Connections > Connectors > AWS.
  2. Select Add Connection.
  3. In Name, enter a unique name that identifies your connection and matches the property provided in token.dynatrace.com:sub.
  4. In Credential Type, select Web identity.
  5. In Role ARN, select the ARN of the previously created AWS IAM role.
  6. optional In Policy ARNs, enter the policies to restrict the used of the AWS IAM role.
  7. Select Create.

Result: You have an AWS connection that is used to authenticate against your AWS account. The retrieved temporary AWS credentials are used to execute the AWS Connector workflow actions.

Step 4 Add a host to the Allow-list in Limit outbound connections

To add *.amazonaws.com to the Allow-list

  1. Go to Settings and select Connections > Outbound and inbound > Limit outbound connections. This opens the Settings Classic page.
  2. Select Add item to add *.amazonaws.com.

For more information, see Add a host to the allowlist.

Step 5 Grant permissions to Workflows

Some permissions are required by Workflows to run actions on your behalf.

To fine-tune permissions granted to Workflows

  1. Go to Workflows and select Settings > Authorization settings.
  2. Select the following permissions besides the general Workflows permission.
    • hyperscaler-authentication:aws:authenticate
    • settings:objects:read

For more on general Workflows user permissions, see User permissions for workflows.