Application Workflow Connection Profiles

The following topics describe the connection profile parameters for application workflow platforms and services:

Airflow Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for Airflow.

You must enable the remote REST API access to connect and use Control-M for Airflow, as described in Enabling Remote REST API Access.

The following table describes the Airflow connection profile parameters.

Parameter Description

Connect To

Determines whether this connection profile is connected to the one of the following:

  • Standalone Airflow Server

  • Google Composer

  • Google Composer 2

Service Account Key

Determines which service account file (JSON) is used to access data in Google Composer.

Base URL

Defines the Airflow web UI URL in Google Composer.

Target Audience

Defines the JWT (JSON Web Token) audience for the IAP (Identity-Aware Proxy) Google Cloud service.

If you do not know the target audience value, define any text value and test the connection profile.

The error message indicates the required target audience value.

Host Name

Defines the Airflow host name.

User Name

Defines the username that is used to log in to the Airflow server.

Port

Defines the Airflow port number of the Airflow web server.

Password

Defines the password to log in to the Airflow server.

Secured connection (HTTPS)

Determines whether a secure connection to the Airflow server is established.

Valid Values:

  • True

  • False

Enabling Remote REST API Access

This procedure describes how to configure the Standalone Airflow Server to accept REST API requests that are required by Control-M for Airflow.

Begin

  1. Log in to your Airflow server account.

  2. Open airflow.cfg and modify.

  3. Verify that the Airflow property auth_backend (auth_backends from version 2.3.0) has a value of airflow.api.auth.backend.basic_auth.

  4. Restart the Airflow server.

Importing a Standalone Airflow Server Certificate to Support HTTPS Connection

This procedure describes how to import a standalone Airflow Server certificate in the apcerts file for the plug-in (trusted certificates store) for supporting HTTPS connection.

Begin

  1. Download the certificate from the Airflow server.

  2. Import the certificate file to the Control-M for Airflow JRE truststore, by running the following command:

    • Windows:<JRE>\bin\keytool -import -keystore <AG>\cm\AFL\data\security\apcerts -file <certificate file> -storepass <password, default is appass>

    • Linux:<JRE>/bin/keytool -import -keystore <AG>/cm/AFL/data/security/apcerts -file <certificate file> -storepass <password, default is appass>

    /home/agent/my_java/bin/keytool -import -keystore /home/agent/cm/AFL/data/security/apcerts -file airflow.cer -storepass appass

  3. Restart the Agent.

Apache Airflow Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for Apache Airflow.

The following table describes the Apache Airflow connection profile parameters.

Parameter

Description

Airflow URL

Defines the Apache authentication endpoint for Airflow.

https://localhost

Username

Defines the username that is used to log in to the Airflow server.

Password

Defines the password to log in to the Airflow server.

Use External Vault

Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to Apache Airflow before a timeout occurs.

Default: 60 seconds

Apache NiFi Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for Apache NiFi.

The following table describes the Apache NiFi connection profile parameters.

Parameter

Description

NiFi URL

Defines the Apache authentication endpoint for NiFi.

https://localhost

Port

Defines the port number of the Apache NiFi server.

Username

Defines the Apache NiFi server username.

Password

Defines the Apache NiFi server password.

Use External Vault

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 50 seconds

Astronomer Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for Astronomer.

The following table describes the Astronomer connection profile parameters.

Parameter

Description

Deployment URL

Defines the Astronomer deployment endpoint URL in the Airflow environment.

https://clybeh1ok01ke01k6wr9szi10.astronomer.run/dns2rtpk

Bearer Token

Defines a security token to authenticate API requests to Astronomer, which allows access to protected resources.

Use External Vault

Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to Astronomer before a timeout occurs.

Default: 30 seconds

AWS MWAA Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for AWS MWAA.

The following table describes the AWS MWAA connection profile parameters.

Parameter Description

AWS MWAA URL

Determines the authentication endpoint for AWS MWAA, based on the following format:
https://states.<region name>.amazonaws.com

https://states.eu-east-1.amazonaws.com

AWS Region

Determines the region where the AWS MWAA jobs are located.

us-east-1

Authentication

Determines one of the following authentication methods:

  • AWS Key & Secret: Authenticates with an AWS access key and secret, which are used for services outside the AWS infrastructure.

  • AWS IAM Role: Authenticates with an AWS IAM role from within the AWS infrastructure, which removes the need to provide additional credentials.

AWS Access Key

Defines the access key assigned to the account with the relevant permissions to the AWS service.

AWS Secret

Defines the secret access key assigned to the account with the relevant permissions to the AWS service.

IAM Role

Defines the Identity and Access Management (IAM) role name for the AWS service connection.

Use External Vault

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 60

 

AWS Step Functions Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for AWS Step Functions.

The following table describes the AWS Step Functions connection profile parameters.

Parameter Description

Step Functions URL

Determines the authentication endpoint for AWS Step Functions, based on the following format:
https://states.<region name>.amazonaws.com

https://states.eu-east-1.amazonaws.com

AWS Region

Determines the region where the AWS Step Functions jobs are located.

us-east-1

Authentication

Determines one of the following authentication methods:

  • AWS Key & Secret: Authenticates with an AWS access key and secret, which are used for services outside the AWS infrastructure.

  • AWS IAM Role: Authenticates with an AWS IAM role from within the AWS infrastructure, which removes the need to provide additional credentials.

AWS IAM Role is currently not supported for this plug-in on ECS container instances and for EKS services.

AWS Access Key

Defines the access key assigned to the account with the relevant permissions to the AWS service.

AWS Secret

Defines the secret access key assigned to the account with the relevant permissions to the AWS service.

IAM Role

Defines the Identity and Access Management (IAM) role name for the AWS service connection.

Use External Vault

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 20

Azure Logic Apps Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for Azure Logic Apps.

The following table describes the Azure Logic Apps connection profile parameters.

Parameter

Authentication Method

Description

Subscription ID

Service Principal

Managed Identity

Defines the Azure account ID of your organization.

Authentication Method

Service Principal

Managed Identity

Determines one of the following authentication methods:Service Principal: Access protected Azure services and resources based on roles assigned to the Service Principal by the Azure administrator. The Service Principal is also known as an App Registration. Use this method if the Control-M/Agent is installed on-premises or with another (non-Azure) cloud vendor.Managed Identity: Access protected Azure services and resources using a key created and managed by the Azure platform, without login credentials. Use this method if the Control-M/Agent is installed on an Azure virtual machine that has a Managed Identity with the required permissions.

Specify Managed Identity Client ID

Managed Identity

Determines whether the Managed Identity is specified by the Managed Identity Client ID parameter.

Toggle on this option when you use the Managed Identity authentication method and your Azure virtual machine has multiple Managed Identities.

Managed Identity Client ID

Managed Identity

Defines the client ID of the Managed Identity that is used for access. If only one Managed Identity is defined on your Azure virtual machine, it is detected automatically, and you can leave this parameter empty.

Resource Group

Service Principal

Managed Identity

Defines the Azure Resource Group container that holds related service resources.

Tenant ID

Service Principal

Defines the Azure tenant ID for your organization.

Application ID

Service Principal

Defines the Registered App for the Azure service in your Microsoft Entra/Azure AD tenant. The corresponding Service Principal must be assigned the Owner or Contributor role for the Azure service.

Client Secret

Service Principal

Defines the password associated with the Service Principal/registered application.

Azure Login URL

Service Principal

Managed Identity

Defines the base URL of the Microsoft Entra/Azure AD authentication endpoint.Default:https://login.microsoftonline.com

https://login.microsoftonline.com

Use External Vault

Service Principal

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Service Principal

Managed Identity

Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 50

GCP Composer Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for GCP Composer.

The following table describes GCP Composer connection profile parameters.

Parameter

Description

GCP Composer URL

Defines the GCP authentication endpoint for GCP Composer.

https://c2b6dd3a789740c087b09992a7df889d-example.composer.googleusercontent.com

Identity Type

Determines one of the following authentication types using GCP Access Control:

  • Service Account: Authenticates using an application ID (service account) and client secret.

  • IAM: Authenticates based on a detected IAM role, which removes the need to provide additional credentials.

IAM is available on GCP VMs only.

Service Account Key

(Service Account) Defines a service account that is associated with an RSA key pair.

Use External Vault

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 30

GCP Workflows Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for GCP Workflows.

The following table describes GCP Workflows connection profile parameters.

Parameter

Description

Identity Type

Determines one of the following authentication types using GCP Access Control:

  • Service Account: Authenticates using an application ID (service account) and client secret.

  • IAM: Authenticates based on a detected IAM role, which removes the need to provide additional credentials.

GCP API URL

(Service Account) Defines the Google Cloud Platform (GCP) authentication endpoint for GCP Workflows.

https://workflowexecutions.googleapis.com

Service Account Key

(Service Account) Defines a service account that is associated with an RSA key pair.

Use External Vault

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 20