-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathintegration-manifest.json
More file actions
182 lines (182 loc) · 7.33 KB
/
Copy pathintegration-manifest.json
File metadata and controls
182 lines (182 loc) · 7.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
{
"$schema": "https://keyfactor.github.io/integration-manifest-schema.json",
"integration_type": "orchestrator",
"name": "AWS Certificate Manager (ACM) Orchestrator",
"status": "production",
"update_catalog": true,
"link_github": true,
"release_dir": "aws-acm-orchestrator/bin/Release",
"release_project": "aws-acm-orchestrator/aws-acm-orchestrator.csproj",
"support_level": "kf-supported",
"description": "The AWS ACM Orchestrator supports Inventory and Management of certificates in the AWS Certificate Manager. It supports three methods of authentication: Environmental Credentials loaded via the AWS SDK e.g. inside an EC2 instance; IAM User Credentials for assuming a Role as a specific user; OAuth-based Credentials to authenticate with an OAuth provider to assume a Role.",
"about": {
"orchestrator": {
"UOFramework": "10.1",
"keyfactor_platform_version": "9.10",
"pam_support": true,
"store_types": [
{
"Name": "AWS Certificate Manager v3",
"ShortName": "AWS-ACM-v3",
"Capability": "AWS-ACM-v3",
"LocalStore": false,
"SupportedOperations": {
"Add": true,
"Create": false,
"Discovery": false,
"Enrollment": false,
"Remove": true
},
"Properties": [
{
"Name": "UseDefaultSdkAuth",
"DisplayName": "Use Default SDK Auth",
"Type": "Bool",
"DependsOn": "",
"DefaultValue": "false",
"Required": true,
"IsPAMEligible": false,
"Description": "A switch to enable the store to use Default SDK credentials"
},
{
"Name": "DefaultSdkAssumeRole",
"DisplayName": "Assume new Role using Default SDK Auth",
"Type": "Bool",
"DependsOn": "UseDefaultSdkAuth",
"DefaultValue": "false",
"Required": false,
"IsPAMEligible": false,
"Description": "A switch to enable the store to assume a new Role when using Default SDK credentials"
},
{
"Name": "UseOAuth",
"DisplayName": "Use OAuth 2.0 Provider",
"Type": "Bool",
"DependsOn": "",
"DefaultValue": "false",
"Required": true,
"IsPAMEligible": false,
"Description": "A switch to enable the store to use an OAuth provider workflow to authenticate with AWS"
},
{
"Name": "OAuthScope",
"DisplayName": "OAuth Scope",
"Type": "String",
"DependsOn": "UseOAuth",
"DefaultValue": "",
"Required": false,
"IsPAMEligible": false,
"Description": "This is the OAuth Scope needed for Okta OAuth, defined in Okta"
},
{
"Name": "OAuthGrantType",
"DisplayName": "OAuth Grant Type",
"Type": "String",
"DependsOn": "UseOAuth",
"DefaultValue": "client_credentials",
"Required": false,
"IsPAMEligible": false,
"Description": "In OAuth 2.0, the term 'grant type' refers to the way an application gets an access token. In Okta this is `client_credentials`"
},
{
"Name": "OAuthUrl",
"DisplayName": "OAuth Url",
"Type": "String",
"DependsOn": "UseOAuth",
"DefaultValue": "https://***/oauth2/default/v1/token",
"Required": false,
"IsPAMEligible": false,
"Description": "An optional parameter sts:ExternalId to pass with Assume Role calls"
},
{
"Name": "OAuthClientId",
"DisplayName": "OAuth Client ID",
"Type": "Secret",
"DependsOn": "",
"DefaultValue": "",
"Required": false,
"IsPAMEligible": true,
"Description": "The Client ID for OAuth."
},
{
"Name": "OAuthClientSecret",
"DisplayName": "OAuth Client Secret",
"Type": "Secret",
"DependsOn": "",
"DefaultValue": "",
"Required": false,
"IsPAMEligible": true,
"Description": "The Client Secret for OAuth."
},
{
"Name": "UseIAM",
"DisplayName": "Use IAM User Auth",
"Type": "Bool",
"DependsOn": "",
"DefaultValue": "false",
"Required": true,
"IsPAMEligible": false,
"Description": "A switch to enable the store to use IAM User auth to assume a role when authenticating with AWS"
},
{
"Name": "IAMUserAccessKey",
"DisplayName": "IAM User Access Key",
"Type": "Secret",
"DependsOn": "",
"DefaultValue": "",
"Required": false,
"IsPAMEligible": true,
"Description": "The AWS Access Key for an IAM User"
},
{
"Name": "IAMUserAccessSecret",
"DisplayName": "IAM User Access Secret",
"Type": "Secret",
"DependsOn": "",
"DefaultValue": "",
"Required": false,
"IsPAMEligible": true,
"Description": "The AWS Access Secret for an IAM User."
},
{
"Name": "ExternalId",
"DisplayName": "sts:ExternalId",
"Type": "String",
"DependsOn": "",
"DefaultValue": "",
"Required": false,
"IsPAMEligible": false,
"Description": "An optional parameter sts:ExternalId to pass with Assume Role calls"
}
],
"EntryParameters": [
{
"Name": "ACM Tags",
"DisplayName": "ACM Tags",
"Type": "String",
"RequiredWhen": {
"HasPrivateKey": false,
"OnAdd": false,
"OnRemove": false,
"OnReenrollment": false
},
"Description": "The optional ACM tags that should be assigned to the certificate. Multiple name/value pairs may be entered in the format of `Name1=Value1,Name2=Value2,...,NameN=ValueN`"
}
],
"PasswordOptions": {
"EntrySupported": false,
"StoreRequired": false,
"Style": "Default"
},
"PrivateKeyAllowed": "Required",
"ServerRequired": false,
"PowerShell": false,
"BlueprintAllowed": true,
"CustomAliasAllowed": "Optional",
"ClientMachineDescription": "This is a full AWS ARN specifying a Role. This is the Role that will be assumed in any Auth scenario performing Assume Role. This will dictate what certificates are usable by the orchestrator. A preceding [profile] name should be included if a Credential Profile is to be used in Default Sdk Auth.",
"StorePathDescription": "A single specified AWS Region the store will operate in. Additional regions should get their own store defined."
}
]
}
}
}