I am trying to configure AWS S3 repository. In the repository rule, as yo know, we have to provide the AWS Auth Profile. AWS Auth Profile requires AWS Access Key ID and Secret Access Key of IAM User.
Issue here is, our enterprise AWS account does not allow IAM users. Policy requires that all AWS logins must be federated thru IAM roles integrated with Okta/AD SSO.
How we can create AWS Authentication profile in Pega when Company policy does not allow creating IAM users?
Approach was to periodically refresh the Pega AWS Authentication profile with temporary credentials retrieved using SAML2AWS. However, AWS authentication is not working with temporary credentials.
@SudheeshM8807 If you’re running on EKS this can be achieved. You can create a repository using DSS instead of the Repository Rule form which allows you to skip the Authentication Profile.
Pega-Engine storage/class/:/type aws-s3
Pega-Engine storage/class/:/bucket
Pega-Engine storage/class/:/rootpath
The pods need to run using a service account that can use OIDC to assume an IAM role that can access the bucket. This takes a fair bit of configuration on the AWS side, you will need someone with the expertise needed to set up your cluster and IAM.
Thanks @BrettAllen, good to know.. We are still on-prem VMs - not planning EKS move this year. Do you happen to know why the temporary STS credentials are not recognized by AWS Auth profile?
This repository doesn’t need any authentication profile and runs on top of the EC2 service account privilege(which has relavant IAM roles for the S3 bucket which you want to access)
@Kannesh On point 3 where it say Repository will be created. Will Pega automatically cerate this repository and if that is the case, do we need to do any configuration apart from two DSS?
@BrettAllen After creating the DSS rules , if we are not able to see the repository rule. Does it indicate that the EC2 instance doesn’t have an IAM role attached.
