Set up AWS for Workflows

After this setup, you can start using all the AWS for Workflows AWS actions in your workflow.

Prerequisites

  • Permission to configure an Identity Provider and a role in AWS IAM.

  • The user needs the Dynatrace default policy AppEngine - Admin to install AWS for Workflows, to add a connection, to configure the outbound connections, and to authenticate with AWS. In detail, the following permissions are needed:

    ALLOW app-engine:apps:install;
    ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:hyperscaler-authentication.aws.connection";
    ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "builtin:dt-javascript-runtime.allowed-outbound-connections";
    ALLOW hyperscaler-authentication:aws:authenticate;

Steps

Step 1

Install AWS for Workflows

Step 2

Configure AWS IAM

Step 3

Set up an AWS Connection

Step 4

Add a host to the Allow-list in Limit outbound connections

Step 5

Grant permissions to Workflows

Step 1 Install AWS for Workflows

To use the AWS for Workflows actions, you need to install AWS for Workflows from Dynatrace Hub.

  1. In Dynatrace Hub Hub, select AWS for Workflows.
  2. Select Install.

Step 2 Configure AWS IAM

The AWS for Workflows actions use OpenID Connect (OIDC) to authenticate with AWS, allowing them to access AWS resources. To configure AWS IAM

  1. Add a new Identity Provider.
  2. Add an AWS role.

Add a new Identity Provider

Add a new Identity Provider to AWS IAM using Dynatrace OIDC as a federated identity. Therefore, use the following parameters:

Parameter
Value
Identity Provider URL
https://token.dynatrace.com
Identity Provider Audience
Has to match the pattern <tenant-domain>/app-id/dynatrace.aws.connector

For example, the correct audience for the tenant abc12345 would be abc12345.apps.dynatrace.com/app-id/dynatrace.aws.connector.

Add an IAM role

Add a new IAM role to AWS IAM that is assumed when using the AWS connection in the Dynatrace workflow.

  • Use the previously created Identity Provider as a trusted entity.
  • Attach permission policies to the role or create an inline permission policy containing the required permissions.

Example code for the trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::000000000000:oidc-provider/token.dynatrace.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.dynatrace.com:aud": "<your-tenant>/app-id/dynatrace.aws.connector",
                    "token.dynatrace.com:sub": "dtid:connection/<your-connection-name>"
                }
            }
        }
    ]
}

We highly recommend adding the condition key "token.dynatrace.com:sub": "dtid:connection/<your-connection-name>" in your trust policy for limiting which Dynatrace connection is allowed to assume the role. Replace <your-connection-name> with the name of the connection that you'll create in the following step.

We recommend applying the principle of least privilege when defining the Role and adding only the necessary permissions.

The AWS for Workflows actions list AWS regions where the workflow action can operate. The IAM role needs the action account:ListRegions in its policy to list the available regions.

Here is an example of an inline policy:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "account:ListRegions",
			"Resource": "*"
		}
	]
}

Step 3 Set up an AWS Connection

Set up an AWS Connection to authenticate with AWS

  1. Go to Settings Settings > Dynatrace Service Settings > AWS Connections.
  2. Select Add item.
  3. In Name, enter a unique name that identifies your connection and matches the property provided in token.dynatrace.com:sub
  4. In Credential Type, select Web identity.
  5. In Role ARN, select the ARN of the previously created AWS IAM role.
  6. optional In Policy ARNs, enter the policies to restrict the used of the AWS IAM role.
  7. Select Save changes.

Result: You have an AWS connection that is used to authenticate against your AWS account. The retrieved temporary AWS credentials are used to execute the AWS workflow actions.

Step 4 Add a host to the Allow-list in Limit outbound connections

To add *.amazonaws.com to the Allow-list

  1. Go to Settings Settings > Preferences > Limit outbound connections.
  2. Select Add item to add *.amazonaws.com.

For more information, see Add a host to the allowlist.

Step 5 Grant permissions to Workflows

Some permissions are required by Workflows to run actions on your behalf.

To fine-tune permissions granted to Workflows

  1. Go to Workflows and select Settings > Authorization settings.
  2. Select the following permissions besides the general Workflows permission.
    • hyperscaler-authentication:aws:authenticate
    • settings:objects:read

For more on general Workflows user permissions, see User permissions for workflows.