Container Orchestration Connection Profiles

The following topics describe connection profiles for container orchestration platforms and services:

ConnectionProfile:AWS ECS
ConnectionProfile:AWS App Runner
ConnectionProfile:Azure Container Instances
ConnectionProfile:GCP Cloud Run
ConnectionProfile:Kubernetes

ConnectionProfile:AWS ECS

AWS Elastic Container Service (ECS) is a container management service that enables you to execute, stop, manage, and monitor containerized applications in a cluster.

The following examples show how to define a connection profile for an AWS ECS job.

This JSON defines a connection profile based on an authentication using an AWS access key and secret:

Copy

{
   "AWS ECS": 
   {
      "Type": "ConnectionProfile:AWS ECS",
      "AWS ECS URL": "https://ecs.us-east-1.amazonaws.com",
      "Cloud Watch URL": "https://logs.us-east-1.amazonaws.com",
      "AWS Region": "us-east-1",
      "Authentication Method": "Secret",
      "AWS Access Key": "<Access Key>",
      "AWS Secret": "*****",
      "Connection Timeout": "30",
      "Description": "",
      "Centralized": true
   }
}

This JSON defines a connection profile based on an authentication using an AWS IAM role from inside an EC2 instance:

Copy

{
   "AWS ECS": 
   {
      "Type": "ConnectionProfile:AWS ECS",
      "AWS ECS URL": "https://ecs.us-east-1.amazonaws.com",
      "Cloud Watch URL": "https://logs.us-east-1.amazonaws.com",
      "AWS Region": "us-east-1",
      "Authentication Method": "IAM",
      "AWS IAM Role": "IAM ROLE",
      "Connection Timeout": "30",
      "Description": "",
      "Centralized": true
   }
}

The following table describes the AWS ECS job connection profile parameters.

Parameter	Description
AWS ECS URL	Defines the AWS ECS authentication endpoint, based on the following format: https://ecs.<region>.amazonaws.com For more information about regional endpoints available for the AWS ECS service, refer to the AWS documentation.
Cloud Watch URL	Defines the Cloud Watch authentication endpoint.
AWS Region	Determines the region where the AWS ECS jobs are located.
Authentication Method	Determines one of the following authentication methods for the connection with AWS ECS: Secret: Authenticates using an access key and secret. IAM: Authenticates based on an IAM role, which removes the need to provide additional credentials.
AWS Access Key	(Secret Authentication) Defines the AWS ECS account access key.
AWS Secret	(Secret Authentication) Defines the AWS ECS account secret access key. You can use Secrets in Code to hide this value in the code.
AWS IAM Role	(IAM Authentication) Defines the Identity and Access Management (IAM) role for the AWS ECS connection.
Connection Timeout	Determines the number of seconds to wait after Control-M initiates a connection request to AWS ECS before a timeout occurs. Default:: 30
Centralized	Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents. You must set this parameter to true. Values: true: Creates a centralized connection profile. false: Creates a local connection profile, which is associated with and stored on a specific Agent. Default: false

ConnectionProfile:AWS App Runner

AWS App Runner is a service to deploy containerized web applications and APIs directly from source code or container images, without the need to manage infrastructure.

The following examples show how to define a connection profile for an AWSApp Runner:

This JSON defines a connection profile based on an authentication using an AWS access key and secret:

Copy

{
    "AAP": {
        "Type": "ConnectionProfile:AWS App Runner",
        "AWS App Runner URL": "https://apprunner.{{AWSRegion}}.amazonaws.com",
        "AWS Region": "us-east-1",
        "Authentication": "Secret",
        "AWS Access Key": "AKIARY7BFFFFFFFFFFFF",
        "AWS Secret": "*****",
        "Connection Timeout": "20",        
        "Description": "AWS AppRunner CCP",
        "Centralized": true
    }
}

This JSON defines a connection profile based on an authentication using an AWS IAM role from inside an AWS App Runner instance:

Copy

{
  "AWS_AAP_IAM": {
    "Type": "ConnectionProfile:AWS App Runner",
    "AWS Backup URL": "https://apprunner.{{AWSRegion}}.amazonaws.com",
    "AWS Region": "us-east-1",
    "Authentication": "IAM",
    "IAM Role": "arn:aws:iam::122343212345:role/Amazon12SSMRoleForInstancesQuickSetup",
    "Connection Timeout": "20",    
    "Description": "",
    "Centralized": true
  }
}

Parameter	Description
AWS App Runner URL	Defines the AWS App Runner authentication endpoint. https://apprunner.us-east1.amazonaws.com
AWS Region	Determines the region where the AWS App Runner jobs are located. us-east-1
Authentication	Determines one of the following authentication methods: Secret: Authenticates using an access key and secret. IAM: Authenticates based on an IAM role, which removes the need to provide additional credentials.
AWS Access Key	Defines the AWS App Runner account access key.
AWS Secret	Defines the AWS App Runner account secret access key.
IAM Role	Defines the Identity and Access Management (IAM) role for the AWS App Runner connection.
Connection Timeout	Determines the number of seconds to wait after Control-M initiates a connection request to AWS App Runner before a timeout occurs. Default: 20
Centralized	Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents. You must set this parameter to true. Values: true: Creates a centralized connection profile. false: Creates a local connection profile, which is associated with and stored on a specific Agent. Default: false

ConnectionProfile:Azure Container Instances

Azure Container Instances enables you to run an isolated container in Azure, without having to manage any virtual machines and without having to adopt a higher-level service.

The following examples show how to define a connection profile for an Azure Container Instances job.

This JSON-based connection profile authenticates using a service principal:

Copy

"ACI_SERVPRINC":
{
   "Type": "ConnectionProfile:Azure Container Instances",
   "Subscription ID": "e76056e0-70de-4da8-b02e-61263a150b1f",
   "Authentication Method": "PRINCIPAL",
   "Tenant ID": "tenantId",
   "Application ID": "7f477fa3-1a1f-4877-ba80-f39bb563f1b5",  
   "Client Secret": "*****",
   "Login URL": "https://login.microsoftonline.com",
   "Management URL": "https://management.azure.com",
   "Connection Timeout": "50",
   "Description": "",
   "Centralized": true
}

This JSON-based connection profile authenticates using a managed identity:

Copy

"ACI_MANID":
{
   "Type": "ConnectionProfile:Azure Container Instances",
   "Subscription ID": "e76056e0-70de-4da8-b02e-61263a150b1f",
   "Autentication Method": "MANAGEDID", 
   "Specify Managed Identity Client ID": "&client_id=",
   "Managed Identity Client ID": "72d454264f0-ac32-45ea-9158-f8s5433e4ee16",
   "Login URL": "https://login.microsoftonline.com", 
   "Management URL": "https://management.azure.com",    
   "Connection Timeout": "50",    
   "Description": "", 
   "Centralized": true }

The following table describes the Azure Container Instances job connection profile parameters.

Parameter	Authentication Method	Description
Subscription ID	All Types	Defines the Azure account subscription ID, which is located in the Azure portal.
Authentication Method	NA	Determines one of the following authentication methods to connect to Azure Container Instance: PRINCIPAL: An Azure service principal, also known as an App Registration, is an identity created to use applications, hosted services, and automated tools that access Azure resources. This access is restricted by the roles assigned to the service principal, which gives the Azure Administrator control over which resources are accessed and at which level. Use this option if the Agent is installed on-premises or with any other cloud vendor. MANAGEDID: Enables you to access other Azure Active-Directory-protected resources. The identity is managed by the Azure platform. You do not need to provide credentials within Control-M. Use this option if the Agent is installed on an Azure virtual machine that has an assigned a Managed Identity with the required permissions. Managed Identity authentication is based on an Azure token that is valid for 24 hours, by default. You can extend the Token lifetimes in Azure.
Specify Managed Identity Client ID	Managed Identity	Determines whether the client ID for the managed identity is specified by the Managed Identity Client ID parameter. Use this option if your Azure virtual machine has multiple managed identities. Set its value to &client_id=.
Managed Identity Client ID	Managed Identity	Determines which client ID to use as the managed identity. You only need to complete this field if your Azure VM instance has multiple managed identities and you have selected the Specify Managed Identity Client ID checkbox. If you only have one ID, it is detected automatically.
Tenant ID	Service Principal	Defines the Tenant ID where the Azure Container instance is created.
Application ID	Service Principal	Defines the Azure application ID of a Service Principal that has access to interact with Azure Container instances. The service principal must be an Azure Container Instance workspace user with a Contributor or Owner role.
Client Secret	Service Principal	Defines the password associated with the Azure user and the application. You can use Secrets in Code to hide this value in the code.
Login URL	All Types	Defines the Azure AD authentication endpoint base URL. Default: https://login.microsoftonline.com Do not change the default value unless you are required to by your Azure Administrator.
Management URL	All Types	Defines the Azure service endpoint that enables you to perform API calls and retrieve the token for authentication. Default: https://management.azure.com Do not change the default value unless you are required to by your Azure Administrator.
Connection Timeout	All Types	Determines the number of seconds to wait after Control-M initiates a connection request to Azure Container Instances before a timeout occurs. Default: 50
Centralized	All Types	Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents. You must set this parameter to true. Values: true: Creates a centralized connection profile. false: Creates a local connection profile, which is associated with and stored on a specific Agent. Default: false

ConnectionProfile:GCP Cloud Run

GCP Cloud Run is a container management service that enables you to execute, stop, manage, and monitor containerized applications in a cluster.

The following example shows how to define a GCP Cloud Run connection profile that authenticates as a service account:

Copy

{
   "GCR":
   {
      "Type": "ConnectionProfile:GCP Cloud Run",
      "Identity Type": "service_account",
      "Cloud Run URL": "https://run.googleapis.com",
      "Service Account Key": "*****",
      "Description": "",
      "Connection Timeout": 20,
      "Centralized": true
   }
}

The following table describes the GCP Cloud Run job connection profile parameters.

Parameter	Description
Identity Type	Determines one of the following authentication types using GCP Access Control: service_account: Authenticates with an application ID (service account) and client secret. iam_user: Authenticates based on a detected IAM role, which removes the need to provide additional credentials.
GCP Cloud Run URL	Defines the Google Cloud Platform (GCP) authentication endpoint for Cloud Run.
Service Account Key	(Service Account) Defines a service account that is associated with an RSA key pair.
Connection Timeout	Determines the number of seconds to wait after Control-M initiates a connection request to GCP Cloud Run before a timeout occurs. Default: 20 seconds
Centralized	Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents. You must set this parameter to true. Values: true: Creates a centralized connection profile. false: Creates a local connection profile, which is associated with and stored on a specific Agent. Default: false

ConnectionProfile:Kubernetes

The Kubernetes job enables you to run a pod to completion in a Kubernetes-based cluster.

For more information about this plug-in, see Control-M for Kubernetes.

The following examples show how to define a connection profile for a Kubernetes job:

This JSON includes basic authentication for retrieval of the job spec from a remote web service:

Copy

{
   "KBN_CCP_BASIC": 
   {
      "Type": "ConnectionProfile:Kubernetes",
      "Description": "Profile for agent running in the Kubernetes cluster",
      "Namespace": "jobspace",
      "Spec Endpoint URL": "my.com",
      "Kubernetes Cluster URL": "https://kubernetes.default.svc",
      "Service Token File": "/var/run/secrets/kubernetes.io/serviceaccount/token",
      "Connection Timeout": "50",
      "Centralized": true,
      "WebServiceAuthenticationBasic":
      {
         "UsePreemptiveAuth": true,
         "User": "User Name",
         "Password": "Password"
      }
   }
}

This JSON includes OAuth2 authentication for retrieval of the job spec from a remote web service:

Copy

{
   "KBN_CCP_OAUTH2": 
   {
      "Type": "ConnectionProfile:Kubernetes",
      "Description": "Profile for agent running in the Kubernetes cluster",
      "Namespace": "jobspace",
      "Spec Endpoint URL": "my.com",
      "Kubernetes Cluster URL": "https://kubernetes.default.svc",
      "Service Token File": "/var/run/secrets/kubernetes.io/serviceaccount/token",
      "Connection Timeout": "20",
      "Centralized": true,
      "WebServiceAuthenticationOauth2": {
         "Headers": [
            {
               "key1": "value1"
            },
            {
               "key2": "value2"
            }
         ],
         "Body": [
            {
               "resource1": "2ff814a6-3304-4ab8-85cb-cd0e6f879c1d"
            },
            {
               "resource2": "2ff814a6-3310-4ab8-85de-cd0e6f879c12"
            }
         ],
         "ApiUrl": "https://login.microsoftonline.com/tenantId/oauth2/token",
         "ContentType": "application/x-www-form-urlencoded",
         "ClientId": "7f477fa3-1a1f-4877-ba80-f39bb563f1b5",
         "ClientSecret": "*****",
         "BasicAuthentication": {
            "Password": "*****",
            "User": "jdoe"
         },
         "GrantTypePassword": {
            "User": "abc",
            "Password": "*****"
         }
      }
   }
}

This JSON includes AWS authentication for retrieval of the job spec from a remote web service:

Copy

{
   "KBN_CCP_AWS": 
   {
      "Type": "ConnectionProfile:Kubernetes",
      "Description": "Profile for agent running in the Kubernetes cluster",
      "Namespace": "jobspace",
      "Spec Endpoint URL": "my.com",
      "Kubernetes Cluster URL": "https://kubernetes.default.svc",
      "Service Token File": "/var/run/secrets/kubernetes.io/serviceaccount/token",
      "Connection Timeout": "50",
      "Centralized": true,
      "WebServiceAuthenticationAws":
      {
         "CustomServiceName": "batch",
         "Region": "eu-west-2",
         "AuthMethodAccessAndSecretKeys":
         {
            "AccessKey": "MYAWSACCESSKEY1234",
            "SecretAccessKey": "*****"
         }
      }   
   }
}

This JSON includes Google authentication for retrieval of the job spec from a remote web service:

Copy

{
   "KBN_CCP_GCP": 
   {
      "Type": "ConnectionProfile:Kubernetes",
      "Description": "Profile for agent running in the Kubernetes cluster",
      "Namespace": "jobspace",
      "Spec Endpoint URL": "my.com",
      "Kubernetes Cluster URL": "https://kubernetes.default.svc",
      "Service Token File": "/var/run/secrets/kubernetes.io/serviceaccount/token",
      "Connection Timeout": "50",
      "Centralized": true,
      "WebServiceAuthenticationGoogle":
      {
         "TokenType": "Access",
         "ServiceAccountKey": "{\"type\":\"service_account\",\"project_id\":\"sso-gcp-dba-ctm1-priv-cc30752\",\"private_key_id\":\"5197d05c5b8212bea944985cec74a34d6c1868aa\",\"private_key\":\"-----BEGIN PRIVATE KEY-----\\nprivate-key\\n-----END PRIVATE KEY-----\\n\",\"client_email\":\bmc-wla-svc-02@sso-gcp-dba-ctm1-priv-cc30752.iam.gserviceaccount.com\,\"client_id\":\"116650586827623521335\",\"auth_uri\":\https://accounts.google.com/o/oauth2/auth\,\"token_uri\":\https://oauth2.googleapis.com/token\,  \"auth_provider_x509_cert_url\":\https://www.googleapis.com/oauth2/v1/certs\,\"client_x509_cert_url\":\https://www.googleapis.com/robot/v1/metadata/x509/bmc-wla-svc-02%40sso-gcp-dba-ctm1-priv-cc30752.iam.gserviceaccount.com\}"
      }
   }
}

The following table describes the Kubernetes job connection profile parameters.

Parameter	Description
Namespace	Defines the name of the Kubernetes namespace.
Spec Endpoint URL	Defines an endpoint URL if you want the Kubernetes job spec to be retrieved from a remote location at the time of job execution (instead of providing the job spec YAML file during job definition). This option was introduced in Control-M for Kubernetes 9.0.21.210 (plug-in version 2.0.00). If the connection to the endpoint URL requires authentication, use one of the following objects to define the authentication type and to group together additional authentication parameters: WebServiceAuthenticationBasic WebServiceAuthenticationOauth2 WebServiceAuthenticationAws WebServiceAuthenticationGoogle
User	(Basic) Defines the basic authentication username.
Password	(Basic) Defines the basic authentication password.
UsePreemptiveAuth	(Basic authentication) Determines whether to use preemptive authentication. Valid Values: True False Default: False
ApiUrl	(OAuth2) Defines the OAuth2 web service URL.
ClientId	(OAuth2) Defines the user ID associated with the Web Services REST user and application.
ClientSecret	(OAuth2) Defines the secret (password) associated with the Web Services REST user and application. You can use Secrets in Code to hide this value in the code.
BasicAuthentication	(OAuth2) Determines whether to add basic authentication to the OAuth2 authentication, by defining another user and password.
GrantTypePassword	(OAuth2) Determines whether the OAuth2 web service requires an additional grant user and password, in addition to the client ID and secret, for added security.
ContentType	(OAuth2) Defines the content type. application/x-www-form-urlencoded
Headers	(OAuth2) Defines OAuth2 header parameters, as an array of Key:Value pairs.
Body	(OAuth2) Defines OAuth2 body parameters, as an array of Key:Value pairs.
Region	(AWS) Defines the AWS region.
CustomServiceName	(AWS) Defines the AWS service to access.
AuthMethodIAMRole	(AWS) Determines that authentication of the AWS connection is based on an Identity and Access Management (IAM) role. The IAMRole parameter on the next level defines the IAM role for the AWS connection.
AuthMethodAccessAndSecretKeys	(AWS) Determines that authentication of the AWS connection is based on an AWS access key and secret, with the following parameters on the next level: AccessKey: Defines the AWS account access key. SecretAccessKey: Defines the AWS account secret access key.
TokenType	(Google) Determines one of the following token types for GCP Access Control: Access Identity
ServiceAccountKey	(Google) Defines a service account that is associated with an RSA key pair.
Kubernetes Cluster URL	Defines the URL for the connection to the Kubernetes cluster. Default: https://kubernetes.default.svc
Service Token File	Defines the path to the token file for the connection to Kubernetes. Default: /var/run/secrets/kubernetes.io/serviceaccount/token
Connection Timeout	Determines the number of seconds to wait after Control-M initiates a connection request to Kubernetes before a timeout occurs. Default: 50
Centralized	Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents. You must set this parameter to true. Values: true: Creates a centralized connection profile. false: Creates a local connection profile, which is associated with and stored on a specific Agent. Default: false