Setting up a credentials manager with an EC2 role

When the IBM® FileNet® Content Engine is deployed on an Amazon EC2 instance as a traditional WAS installation you can handle temporary credentials with the EC2RoleCredentialsManager credentials manager supplied with the Content Engine.

Configuration in AWS

To start using a credentials manager you first set up an IAM role in AWS. The role needs to have a permissions policy that grants the Content Engine access to the Amazon S3 buckets. It also needs a trust policy that allows the Amazon EC2 instance to assume the role and retrieve the temporary credentials.

Once the role, the permission policy and the trust policy are defined, you need to launch the EC2 instance running the Content Platform Engine with the defined IAM role or attach the IAM role to the EC2 instance.

The Content Engine can retrieve the security credentials provided by the role from the instance metadata item iam/security-credentials/role-name, and is granted the permissions for the actions and resources that you've defined for the role through the security credentials associated with the role. These security credentials are temporary, and AWS rotates them automatically. AWS makes new credentials available at least five minutes before the expiration of the old credentials.

For more information about IAM roles for EC2 instances, refer to the AWS documentation: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

Note:

The implementation of a credentials manager supplied with Content Engine, EC2RoleCredentialsManager, only supports Instance Metadata Service Version 2 (IMDSv2) to retrieve temporary credentials from EC2 instance metadata.

Creation of a credentials manager in ACCE

You create a credentials manager in ACCE to handle the authentication for Amazon S3 storage devices. When you create an Amazon S3 storage device you can configure the authentication method to use the credentials manager you defined. When you create a credentials manager you:
  • Name the new credentials manager.
  • Set Manager Class to com.filenet.engine.content.handlers.s3.EC2RoleCredentialsManager.
  • Set the ec2rolename configuration parameter to the name of the service role you set up for the Amazon EC2 instance running the Content Engine.
    For example, ec2rolename=myS3Role, where myS3Role is the name of the service role you set up in AWS.
  • (Optional) Use the other configuration parameters to tune the credentials manager to ensure that there are no errors or interruptions when the credentials are rotated.
    Table 1. Configuration parameters for credentials managers
    Parameter Description Default
    connectiontimeoutsecs Time allowed for a connection request. 30 seconds
    readtimeoutsecs Time allowed for a read request. 30 seconds
    ec2metatokenttlsecs1 Time allowed to make the first (IMDSv2) request to get a token and then use that token to retrieve the instance metadata. 300 seconds
    refreshinadvancesecs The amount of time before the current credentials expire that the Content Platform Engine requests new credentials. 900 seconds

    Use key=value pairs separated by a semi-colon to list the configuration parameters. For example, ec2rolename=jo-cpe-role; connectiontimeoutsecs=50; readtimeoutsecs=60; ec2metatokenttlsecs=600; refreshinadvancesecs=600.

  • (Optional) Set the secret parameter(s) for the credentials manager.
    A write-only property giving any secret parameters required by the credentials manager, as the UTF-8 encoded bytes of a string value. This is encrypted in storage in the GCD. This property is not required for EC2RoleCredentialsManager.
1

This is not the time out for the credentials. The credentials exposed from the EC2 instance metadata expire in about 6 hours.