Container Orchestration Connection Profiles
The following topics describe connection profiles for container orchestration platforms and services:
ConnectionProfile:AWS ECSLink copied to clipboard
AWS Elastic Container Service (ECS) is a container management service that enables you to execute, stop, manage, and monitor containerized applications in a cluster.
For more information about this plug-in, see Control-M for Amazon ECS.
The following examples show how to define a connection profile for an AWS ECS job.
-
This JSON defines a connection profile based on an authentication using an AWS access key and secret:
CopyCopied to clipboard{
"AWS ECS":
{
"Type": "ConnectionProfile:AWS ECS",
"AWS ECS URL": "https://ecs.us-east-1.amazonaws.com",
"Cloud Watch URL": "https://logs.us-east-1.amazonaws.com",
"AWS Region": "us-east-1",
"Authentication Method": "Secret",
"AWS Access Key": "<Access Key>",
"AWS Secret": "*****",
"Connection Timeout": "30",
"Description": "",
"Centralized": true
}
} -
This JSON defines a connection profile based on an authentication using an AWS IAM role from inside an EC2 instance:
CopyCopied to clipboard{
"AWS ECS":
{
"Type": "ConnectionProfile:AWS ECS",
"AWS ECS URL": "https://ecs.us-east-1.amazonaws.com",
"Cloud Watch URL": "https://logs.us-east-1.amazonaws.com",
"AWS Region": "us-east-1",
"Authentication Method": "IAM",
"AWS IAM Role": "IAM ROLE",
"Connection Timeout": "30",
"Description": "",
"Centralized": true
}
}
The following table describes the AWS ECS job connection profile parameters.
|
Parameter |
Description |
|---|---|
|
AWS ECS URL |
Defines the AWS ECS authentication endpoint, based on the following format: https://ecs.<region>.amazonaws.com For more information about regional endpoints available for the AWS ECS service, refer to the AWS documentation. |
|
Cloud Watch URL |
Defines the Cloud Watch authentication endpoint. |
|
AWS Region |
Determines the AWS region where the job is located. us-east-2 |
|
Authentication Method |
Determines one of the following authentication methods:
|
|
AWS Access Key |
(Secret Authentication) Defines the access key assigned to the account with the relevant permissions to the AWS service. |
|
AWS Secret |
(Secret Authentication) Defines the secret access key assigned to the account with the relevant permissions to the AWS service. You can use Secrets in Code to hide this value in the code. |
|
AWS IAM Role |
(IAM Authentication) Defines the Identity and Access Management (IAM) role name for the AWS service connection. |
|
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs. Default:: 30 |
|
Centralized |
Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents. You must set this parameter to true. |
ConnectionProfile:AWS App RunnerLink copied to clipboard
AWS App Runner is a service to deploy containerized web applications and APIs directly from source code or container images, without the need to manage infrastructure.
For more information about this plug-in, see Control-M for AWS App Runner.
The following examples show how to define a connection profile for an AWSApp Runner:
-
This JSON defines a connection profile based on an authentication using an AWS access key and secret:
CopyCopied to clipboard{
"AAP": {
"Type": "ConnectionProfile:AWS App Runner",
"AWS App Runner URL": "https://apprunner.{{AWSRegion}}.amazonaws.com",
"AWS Region": "us-east-1",
"Authentication": "Secret",
"AWS Access Key": "AKIARY7BFFFFFFFFFFFF",
"AWS Secret": "*****",
"Connection Timeout": "20",
"Description": "AWS AppRunner CCP",
"Centralized": true
}
} -
This JSON defines a connection profile based on an authentication using an AWS IAM role from inside an AWS App Runner instance:
CopyCopied to clipboard{
"AWS_AAP_IAM": {
"Type": "ConnectionProfile:AWS App Runner",
"AWS Backup URL": "https://apprunner.{{AWSRegion}}.amazonaws.com",
"AWS Region": "us-east-1",
"Authentication": "IAM",
"IAM Role": "arn:aws:iam::122343212345:role/Amazon12SSMRoleForInstancesQuickSetup",
"Connection Timeout": "20",
"Description": "",
"Centralized": true
}
}
|
Parameter |
Description |
|---|---|
|
AWS App Runner URL |
Defines the AWS App Runner authentication endpoint. https://apprunner.us-east1.amazonaws.com |
|
AWS Region |
Determines the AWS region where the job is located. us-east-2 |
|
Authentication |
Determines one of the following authentication methods:
|
|
AWS Access Key |
Defines the access key assigned to the account with the relevant permissions to the AWS service. |
|
AWS Secret |
Defines the secret access key assigned to the account with the relevant permissions to the AWS service. You can use Secrets in Code to hide this value in the code. |
|
IAM Role |
Defines the Identity and Access Management (IAM) role name for the AWS service connection. |
|
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs. Default: 20 |
|
Centralized |
Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents. You must set this parameter to true. |
ConnectionProfile:Azure Container InstancesLink copied to clipboard
Azure Container Instances enables you to run an isolated container in Azure, without having to manage any virtual machines and without having to adopt a higher-level service.
For more information about this plug-in, see Control-M for Azure Container Instances.
The following examples show how to define a connection profile for an Azure Container Instances job.
-
This JSON-based connection profile authenticates using a service principal:
CopyCopied to clipboard"ACI_SERVPRINC":
{
"Type": "ConnectionProfile:Azure Container Instances",
"Subscription ID": "e76056e0-70de-4da8-b02e-61263a150b1f",
"Authentication Method": "PRINCIPAL",
"Tenant ID": "tenantId",
"Application ID": "7f477fa3-1a1f-4877-ba80-f39bb563f1b5",
"Client Secret": "*****",
"Login URL": "https://login.microsoftonline.com",
"Management URL": "https://management.azure.com",
"Connection Timeout": "50",
"Description": "",
"Centralized": true
} -
This JSON-based connection profile authenticates using a managed identity:
CopyCopied to clipboard"ACI_MANID":
{
"Type": "ConnectionProfile:Azure Container Instances",
"Subscription ID": "e76056e0-70de-4da8-b02e-61263a150b1f",
"Autentication Method": "MANAGEDID",
"Specify Managed Identity Client ID": "&client_id=",
"Managed Identity Client ID": "72d454264f0-ac32-45ea-9158-f8s5433e4ee16",
"Login URL": "https://login.microsoftonline.com",
"Management URL": "https://management.azure.com",
"Connection Timeout": "50",
"Description": "",
"Centralized": true }
The following table describes the Azure Container Instances job connection profile parameters.
|
Parameter |
Authentication Method |
Description |
|---|---|---|
|
Subscription ID |
All Types |
Defines the Azure account ID of your organization. You can retrieve the subscription ID from the Subscription menu in the Azure portal. |
|
Authentication Method |
NA |
Determines one of the following authentication methods:
Managed Identity authentication is based on an Azure token that is valid for 24 hours, by default. You can extend the Token lifetimes in Azure. |
|
Specify Managed Identity Client ID |
Managed Identity |
(Managed identity authentication) Determines whether the managed identity is specified by the Managed Identity Client ID parameter. This parameter must be included when you use the Managed Identity authentication method and there are multiple managed identities defined on your Azure VM. Valid Values:
|
|
Managed Identity Client ID |
Managed Identity |
(Managed identity authentication) Defines the client ID of the managed identity used for access. This parameter requires a value only if there are multiple managed identities defined on your Azure VM and you included the Specify Managed Identity Client ID parameter. If there is only one managed identity, it is detected automatically. |
|
Tenant ID |
Service Principal |
Defines the Tenant ID where the Azure Container instance is created. |
|
Application ID |
Service Principal |
Defines the Registered App for the Azure service in your Microsoft Entra/Azure AD tenant. The corresponding Service Principal must be assigned the Owner or Contributor role for the Azure service. |
|
Client Secret |
Service Principal |
Defines the password associated with the Service Principal/registered application. You can use Secrets in Code to hide this value in the code. |
|
Login URL |
All Types |
Defines the base URL of the Microsoft Entra/Azure AD authentication endpoint. Default: https://login.microsoftonline.com Do not change the default value unless you are required to by your Azure Administrator. |
|
Management URL |
All Types |
Defines the Azure service endpoint that enables you to perform API calls and retrieve the token for authentication. Default: https://management.azure.com Do not change the default value unless you are required to by your Azure Administrator. |
|
Connection Timeout |
All Types |
Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs. Default: 50 |
|
Centralized |
All Types |
Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents. You must set this parameter to true. |
ConnectionProfile:GCP Cloud RunLink copied to clipboard
GCP Cloud Run is a container management service that enables you to execute, stop, manage, and monitor containerized applications in a cluster.
For more information about this plug-in, see Control-M for GCP Cloud Run.
The following example shows how to define a GCP Cloud Run connection profile that authenticates as a service account:
{
"GCR":
{
"Type": "ConnectionProfile:GCP Cloud Run",
"Identity Type": "service_account",
"Cloud Run URL": "https://run.googleapis.com",
"Service Account Key": "*****",
"Description": "",
"Connection Timeout": 20,
"Centralized": true
}
}The following table describes the GCP Cloud Run job connection profile parameters.
|
Parameter |
Description |
|---|---|
|
Identity Type |
Determines one of the following authentication types with GCP Access Control:
|
|
GCP Cloud Run URL |
Defines the Google Cloud Platform (GCP) authentication endpoint for Cloud Run. |
|
Service Account Key |
(Service Account) Defines a service account that is associated with an RSA key pair. |
|
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs. Default: 20 seconds |
|
Centralized |
Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents. You must set this parameter to true. |
ConnectionProfile:KubernetesLink copied to clipboard
The Kubernetes job enables you to run a pod to completion in a Kubernetes-based cluster.
For more information about this plug-in, see
The following examples show how to define a connection profile for a Kubernetes job:
-
This JSON includes basic authentication for retrieval of the job spec from a remote web service:
CopyCopied to clipboard{
"KBN_CCP_BASIC":
{
"Type": "ConnectionProfile:Kubernetes",
"Description": "Profile for agent running in the Kubernetes cluster",
"Namespace": "jobspace",
"Spec Endpoint URL": "my.com",
"Kubernetes Cluster URL": "https://kubernetes.default.svc",
"Service Token File": "/var/run/secrets/kubernetes.io/serviceaccount/token",
"Connection Timeout": "50",
"Centralized": true,
"WebServiceAuthenticationBasic":
{
"UsePreemptiveAuth": true,
"User": "User Name",
"Password": "Password"
}
}
} -
This JSON includes OAuth2 authentication for retrieval of the job spec from a remote web service:
CopyCopied to clipboard{
"KBN_CCP_OAUTH2":
{
"Type": "ConnectionProfile:Kubernetes",
"Description": "Profile for agent running in the Kubernetes cluster",
"Namespace": "jobspace",
"Spec Endpoint URL": "my.com",
"Kubernetes Cluster URL": "https://kubernetes.default.svc",
"Service Token File": "/var/run/secrets/kubernetes.io/serviceaccount/token",
"Connection Timeout": "20",
"Centralized": true,
"WebServiceAuthenticationOauth2": {
"Headers": [
{
"key1": "value1"
},
{
"key2": "value2"
}
],
"Body": [
{
"resource1": "2ff814a6-3304-4ab8-85cb-cd0e6f879c1d"
},
{
"resource2": "2ff814a6-3310-4ab8-85de-cd0e6f879c12"
}
],
"ApiUrl": "https://login.microsoftonline.com/tenantId/oauth2/token",
"ContentType": "application/x-www-form-urlencoded",
"ClientId": "7f477fa3-1a1f-4877-ba80-f39bb563f1b5",
"ClientSecret": "*****",
"BasicAuthentication": {
"Password": "*****",
"User": "jdoe"
},
"GrantTypePassword": {
"User": "abc",
"Password": "*****"
}
}
}
} -
This JSON includes AWS authentication for retrieval of the job spec from a remote web service:
CopyCopied to clipboard{
"KBN_CCP_AWS":
{
"Type": "ConnectionProfile:Kubernetes",
"Description": "Profile for agent running in the Kubernetes cluster",
"Namespace": "jobspace",
"Spec Endpoint URL": "my.com",
"Kubernetes Cluster URL": "https://kubernetes.default.svc",
"Service Token File": "/var/run/secrets/kubernetes.io/serviceaccount/token",
"Connection Timeout": "50",
"Centralized": true,
"WebServiceAuthenticationAws":
{
"CustomServiceName": "batch",
"Region": "eu-west-2",
"AuthMethodAccessAndSecretKeys":
{
"AccessKey": "MYAWSACCESSKEY1234",
"SecretAccessKey": "*****"
}
}
}
} -
This JSON includes Google authentication for retrieval of the job spec from a remote web service:
CopyCopied to clipboard{
"KBN_CCP_GCP":
{
"Type": "ConnectionProfile:Kubernetes",
"Description": "Profile for agent running in the Kubernetes cluster",
"Namespace": "jobspace",
"Spec Endpoint URL": "my.com",
"Kubernetes Cluster URL": "https://kubernetes.default.svc",
"Service Token File": "/var/run/secrets/kubernetes.io/serviceaccount/token",
"Connection Timeout": "50",
"Centralized": true,
"WebServiceAuthenticationGoogle":
{
"TokenType": "Access",
"ServiceAccountKey": "{\"type\":\"service_account\",\"project_id\":\"sso-gcp-dba-ctm1-priv-cc30752\",\"private_key_id\":\"5197d05c5b8212bea944985cec74a34d6c1868aa\",\"private_key\":\"-----BEGIN PRIVATE KEY-----\\nprivate-key\\n-----END PRIVATE KEY-----\\n\",\"client_email\":\bmc-wla-svc-02@sso-gcp-dba-ctm1-priv-cc30752.iam.gserviceaccount.com\,\"client_id\":\"116650586827623521335\",\"auth_uri\":\https://accounts.google.com/o/oauth2/auth\,\"token_uri\":\https://oauth2.googleapis.com/token\, \"auth_provider_x509_cert_url\":\https://www.googleapis.com/oauth2/v1/certs\,\"client_x509_cert_url\":\https://www.googleapis.com/robot/v1/metadata/x509/bmc-wla-svc-02%40sso-gcp-dba-ctm1-priv-cc30752.iam.gserviceaccount.com\}"
}
}
}
The following table describes the Kubernetes job connection profile parameters.
|
Parameter |
Description |
|---|---|
|
Namespace |
Defines the name of the Application namespace (that is, the namespace where the Kubernetes jobs run). |
|
Spec Endpoint URL |
Defines an endpoint URL if you want the Kubernetes job spec to be retrieved from a remote location at the time of job execution (instead of providing the job spec YAML file during job definition). This option was introduced in Control-M for Kubernetes 9.0.21.210 (plug-in version 2.0.00). If the connection to the endpoint URL requires authentication, use one of the following objects to define the authentication type and to group together additional authentication parameters:
|
|
User |
(Basic) Defines the basic authentication username. |
|
Password |
(Basic) Defines the basic authentication password. |
|
UsePreemptiveAuth |
(Basic authentication) Determines whether to use preemptive authentication. Valid Values:
Default: False |
|
ApiUrl |
(OAuth2) Defines the OAuth2 web service URL. |
|
ClientId |
(OAuth2) Defines the user ID associated with the Web Services REST user and application. |
|
ClientSecret |
(OAuth2) Defines the secret (password) associated with the Web Services REST user and application. You can use Secrets in Code to hide this value in the code. |
|
BasicAuthentication |
(OAuth2) Determines whether to add basic authentication to the OAuth2 authentication, by defining another user and password. |
|
GrantTypePassword |
(OAuth2) Determines whether the OAuth2 web service requires an additional grant user and password, in addition to the client ID and secret, for added security. |
|
ContentType |
(OAuth2) Defines the content type. application/x-www-form-urlencoded |
|
Headers |
(OAuth2) Defines OAuth2 header parameters, as an array of Key:Value pairs. |
|
Body |
(OAuth2) Defines OAuth2 body parameters, as an array of Key:Value pairs. |
|
Region |
(AWS) Defines the AWS region. |
|
CustomServiceName |
(AWS) Defines the AWS service to access. |
|
AuthMethodIAMRole |
(AWS) Determines that authentication of the AWS connection is based on an Identity and Access Management (IAM) role. The IAMRole parameter on the next level defines the IAM role for the AWS connection. |
|
AuthMethodAccessAndSecretKeys |
(AWS) Determines that authentication of the AWS connection is based on an AWS access key and secret, with the following parameters on the next level:
|
|
TokenType |
(Google) Determines one of the following token types for GCP Access Control:
|
|
ServiceAccountKey |
(Google) Defines a service account that is associated with an RSA key pair. |
|
Kubernetes Cluster URL |
Defines the URL for the connection to the Kubernetes cluster. Default: https://kubernetes.default.svc |
|
Service Token File |
Defines the path to the token file for the connection to Kubernetes. Default: /var/run/secrets/kubernetes.io/serviceaccount/token |
|
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request to Kubernetes before a timeout occurs. Default: 50 |
|
Centralized |
Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents. You must set this parameter to true. |
YouTube
Facebook
LinkedIn