Cloud Computing Connection Profiles

The following topics describe the connection profile parameters for cloud computing platforms and services:

AWS Connection Profile Parameters (Deprecated)

This connection profile is for the Control-M for AWS job type. This job type is deprecated. For migration information, see Control-M for AWS Plug-in Migration Tool.

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

The following table describes the AWS connection profile parameters.

Parameter Description

Region

Determines the region where the AWS jobs are located.

Authentication Method

Determines one of the following authentication methods:

  • AWS Key & Secret: Authenticates with an AWS access key and secret, which are used for services outside the AWS infrastructure.

  • AWS IAM Role: Authenticates with an AWS IAM role from within the AWS infrastructure, which removes the need to provide additional credentials.

Access Key

Defines the AWS account access key.

Secret Access Key

Defines the AWS account secret access key.

IAM Role

Defines the Identity and Access Management (IAM) role name for the AWS Batch connection.

Use Proxy

Determines whether a proxy server is installed for access to AWS.

Host

Defines a proxy Hostname.

Port

Determines a proxy host port number between 1024 and 65535.

Username

Defines a username, which connects to the proxy server.

Password

Defines a password, which connects to the proxy server.

AWS Batch Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for AWS Batch.

The following table describes the AWS Batch connection profile parameters.

Parameter

Description

Batch URL

Defines the AWS Batch service endpoint.

https://batch.eu-west-2.amazonaws.com

AWS Region

Determines the region where the AWS Batch resources are located.

For more information about regional endpoints available for the AWS Batch service, refer to the AWS documentation.

eu-west-2

Authentication

Determines one of the following authentication methods:

  • AWS Key & Secret: Authenticates with an AWS access key and secret, which are used for services outside the AWS infrastructure.

  • AWS IAM Role: Authenticates with an AWS IAM role from within the AWS infrastructure, which removes the need to provide additional credentials.

AWS IAM Role is currently not supported for this plug-in on ECS container instances and for EKS services.

AWS Access Key

Defines the AWS Batch account access key.

AWS Secret

Defines the AWS Batch account secret access key.

IAM Role

Defines the Identity and Access Management (IAM) role name for the AWS Batch connection.

Use External Vault

Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to AWS Batch before a timeout occurs.

Default: 20

AWS EC2 Virtual Machine Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for AWS EC2.

The following table describes the AWS EC2 Virtual Machine connection profile parameters.

Parameter

Description

EC2 Region

Determines the location of the AWS user.

us-east-1

Authentication

Determines one of the following authentication methods:

  • AWS Key & Secret: Authenticates with an AWS access key and secret, which are used for services outside the AWS infrastructure.

  • AWS IAM Role: Authenticates with an AWS IAM role from within the AWS infrastructure, which removes the need to provide additional credentials.

EC2 Access Key

(AWS Key) Defines the Access key ID for connection to AWS.

EC2 Secret Key

(AWS Key) Defines the secret access key for connection to AWS.

IAM Role

(AWS Role) Defines the IAM Role for connection to AWS.

Use External Vault

Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to AWS EC2 before a timeout occurs.

Default: 20

AWS Lambda Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for AWS Lambda.

The following table describes the AWS Lambda connection profile parameters.

Parameter

Description

Lambda URL

Defines the authentication endpoint for AWS Lambda, based on the following format:

https://lambda.<AWS_Region>.amazonaws.com

https://lambda.eu-west-2.amazonaws.com

AWS Region

Determines the region where the AWS Lambda resources are located.

eu-west-2

Authentication

Determines one of the following authentication methods:

  • AWS Key & Secret: Authenticates with an AWS access key and secret, which are used for services outside the AWS infrastructure.

  • AWS IAM Role: Authenticates with an AWS IAM role from within the AWS infrastructure, which removes the need to provide additional credentials.

AWS IAM Role is currently not supported for this plug-in on ECS container instances and for EKS services.

AWS Access Key ID

(AWS Key) Defines the Access key ID to connect to AWS.

AWS Secret

(AWS Key) Defines the secret access key to connect to AWS.

IAM Role

(AWS IAM Role) Defines the IAM Role to name connect to AWS.

Use External Vault

Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to AWS Lambda before a timeout occurs.

The connection timeout in Control-M must be longer than the connection timeout that is set in AWS Lambda.

Default: 1,800

Azure Batch Accounts Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for Azure Batch Accounts.

The following table describes the Azure Batch Accounts connection profile parameters.

Parameter

Description

Azure AD URL

(Service Principal) Defines the Azure AD authentication endpoint base URL.

https://login.microsoftonline.com

Authentication Method

Determines one of the following authentication methods to connect to Azure Logic Apps:

  • Service Principal: An Azure service principal, also known as an App Registration, is an identity created to use applications, hosted services, and automated tools that access Azure resources. This access is restricted by the roles assigned to the service principal, which gives the Azure Administrator control over which resources are accessed and at which level. Use this option if the Agent is installed on-premises or with any other cloud vendor.

  • Managed Identity: Enables you to access other Azure Active-Directory-protected resources. The identity is managed by the Azure platform. You do not need to provide credentials within Control-M. Use this option if the Agent is installed on an Azure virtual machine that has an assigned a Managed Identity with the required permissions.

    Managed Identity authentication is based on an Azure token that is valid for 24 hours, by default. You can extend the Token lifetimes in Azure.

Specify Managed Identity Client ID

(Managed Identity) Determines whether the client ID for the managed identity is specified by the Managed Identity Client ID parameter.

Managed Identity Client ID

(Managed Identity) Determines which client ID to use as the managed identity.

You must complete this field only if your Azure virtual machine has multiple Managed Identities and you have selected the Specify Managed Identity Client ID checkbox. If you only have one client ID, it is detected automatically.

Tenant ID

(Service Principal) Defines the tenant ID.

App ID

(Service Principal) Defines the application ID of the registered application.

The service principal must be an Azure Batch Accounts workspace user with a Contributor or Owner role.

Client Secret

(Service Principal) Defines the password associated with the Azure user and the application.

Batch Resource URL

Defines the identifier for the Azure Batch account for login via Azure AD.

This identifier is a constant value set to https://batch.core.windows.net/

Batch Account Name

Defines the name of the batch account created in Azure Portal.

Batch Region ID

Determines the region ID associated with the Batch account in Azure Portal.

uksouth

Use External Vault

Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to Azure Batch Accounts before a timeout occurs.

Default: 50

Azure Functions Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for Azure Functions.

The following table describes the Azure Functions connection profile parameters.

Parameter

Identity Type

Description

Subscription ID

  • Service Principal

  • Managed Identity

Defines the Azure account subscription ID, which is located in the Azure portal.

Identity Type

NA

Determines one of the following authentication methods to connect to Azure Functions:

  • Service Principal: An Azure service principal, also known as an App Registration, is an identity created to use applications, hosted services, and automated tools that access Azure resources. This access is restricted by the roles assigned to the service principal, which gives the Azure Administrator control over which resources are accessed and at which level. Use this option if the Agent is installed on-premises or with any other cloud vendor.

  • Managed Identity: Enables you to access other Azure Active-Directory-protected resources. The identity is managed by the Azure platform. You do not need to provide credentials within Control-M. Use this option if the Agent is installed on an Azure virtual machine that has an assigned a Managed Identity with the required permissions.

    Managed Identity authentication is based on an Azure token that is valid for 24 hours, by default. You can extend the Token lifetimes in Azure.

  • Function App ID: Authenticates using the Azure built-in authentication service, which is based on the Function Application Web Site and the Custom Application Key.

Specify Managed Identity Client ID

Managed Identity

Determines whether the client ID for the managed identity is specified by the Managed Identity Client ID parameter.

Managed Identity Client ID

Managed Identity

Determines which client ID to use as the managed identity.

You only need to complete this field if your Azure virtual machine has multiple managed identities and you have selected the Specify Managed Identity Client ID checkbox. If you only have one ID, it is detected automatically.

Tenant ID

  • Service Principal

  • Function App ID

Defines the Tenant ID.

Resource Group

  • Service Principal

  • Managed Identity

Defines the name of the resource group that holds the application.

Application ID

  • Service Principal

  • Function App ID

Defines the application ID of the registered application.

The service principal must be an Azure Functions workspace user with a Contributor or Owner role.

Client Secret

  • Service Principal

  • Function App ID

Defines the password associated with the Azure user and the application.

Azure Login URL

  • Service Principal

  • Function App ID

Defines the Azure AD authentication endpoint base URL.

https://login.microsoftonline.com

Function App Web Site

Function App ID

Defines the Azure Function Application website name.

Default: azurewebsites.net

Custom App Key

Function App ID

Defines the Custom Application Key, which identifies the Azure Function Application that you want to execute.

API Version

All Types

Determines which REST API version to use.

Use External Vault

 

Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout All Types

Determines the number of seconds to wait after Control-M initiates a connection request to Azure Batch Accounts before a timeout occurs.

Default: 60

Azure Virtual Machine Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for Azure Virtual Machine.

The following table describes the Azure Virtual Machine connection profile parameters.

Parameter

Description

Subscription ID

Defines the Azure account subscription ID.

You can retrieve the subscription ID from the Subscription menu in the Azure portal.

Authentication Method

Determines one of the following authentication types:

  • Managed Identity: Authenticates using an Azure Active Directory token, which removes the need to provide additional credentials.

  • Service Principal: Authenticates using an application ID (service account) and client secret.

Specify Managed Identity Client ID

(Managed Identity) Determines whether the client ID for your Managed Identity is defined by the Managed Identity Client ID parameter.

Select this check box if you are using the Managed Identity authentication method and you have multiple Managed Identities defined on your Azure virtual machine.

Managed Identity Client ID

(Managed Identity) Determines which client ID to use as the Managed Identity.

This parameter requires a value only if you have multiple Managed Identities defined on your Azure virtual machine and you selected the Specify Managed Identity Client ID check box.

If you have only one Managed Identity, it is detected automatically.

Managed Identity authentication is based on an Azure token that is valid, by default, for 24 hours. Token lifetime can be extended by Azure.

Tenant ID

(Service Principal) Defines the Azure Tenant ID in the Azure Virtual Machine.

Resource Group

Defines the name of the resource group where the function app is located.

Application ID

(Service Principal) Defines the application (service principal) ID of the registered application for the Azure Virtual Machine.

The service principal must be an Azure Functions workspace user with a Contributor or Owner role associated.

Client Secret

(Service Principal) Defines the client secret (password) associated with the Azure user and the application.

Azure Login URL

(Service Principal) Defines the Azure VM authentication endpoint base URL.

https://login.microsoftonline.com

Use External Vault

Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to Azure VM before a timeout occurs.

Default: 20

GCP Batch Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for GCP Batch.

The following table describes the GCP Batch connection profile parameters.

Parameter

Description

Identity Type

Determines one of the following authentication types using GCP Access Control:

  • Service Account: Authenticates using an application ID (service account) and client secret.

  • IAM: Authenticates based on a detected IAM role, which removes the need to provide additional credentials.

Batch URL

Defines the Google Cloud Platform (GCP) authentication endpoint for GCP Batch.

Default: https://batch.googleapis.com

Service Account Key

(Service Account) Defines a service account that is associated with an RSA key pair.

Use External Vault

Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to GCP Batch before a timeout occurs.

Default: 20

GCP Functions Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for GCP Functions.

The following table describes the GCP Cloud Functions connection profile parameters.

Parameter

Description

Identity Type

Determines one of the following authentication types using GCP Access Control:

  • Service Account: Authenticates using an application ID (service account) and client secret.

  • IAM: Authenticates based on a detected IAM role, which removes the need to provide additional credentials.

GCP API URL

Defines the Google Cloud Platform (GCP) authentication endpoint for Cloud Functions.

https://cloudfunctions.googleapis.com

Service Account Key

(Service Account) Defines a service account that is associated with an RSA key pair.

Use External Vault

Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to GCP Cloud Functions before a timeout occurs.

Default: 20

GCP Virtual Machine Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for GCP Virtual Machine.

The following table describes the GCP Virtual Machine connection profile parameters.

Parameter

Description

Identity Type

Determines one of the following authentication types using GCP Access Control:

  • Service Account: Authenticates using an application ID (service account) and client secret.

  • IAM: Authenticates based on a detected IAM role, which removes the need to provide additional credentials.

GCP URL

Defines the Google Cloud Platform (GCP) authentication endpoint.

https://compute.googleapis.com/compute

Service Account Key

(Service Account) Defines a service account that is associated with an RSA key pair.

Use External Vault

Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to GCP Virtual Machine before a timeout occurs.

Default: 20

OCI Functions Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for OCI Functions.

The following table describes the OCI Functions connection profile parameters.

Parameter

Description

OCI Functions URL

Defines the OCI Functions URL, in the following format:

https://functions.<region>.oci.oraclecloud.com

OCI Region

Determines the region where OCI Functions is located.

ux-phoenix-1

Authentication

Determines one of the following authentication methods to connect to OCI Functions:

  • Defined Parameters: Defines authentication parameters in the connection profile.

  • Configuration File: Uses a configuration file that contains authentication information and is stored on the Control-M/Agent.

The following example of a configuration file defines two profiles: DEFAULT for Linux and PROFILE2 for Windows.

Copy
[DEFAULT] 
user=ocid1.user.oc1..aaaaaaaa4vcihdfhrdtyry457245636cqqcljd6yrcukszg7gzoymoyvkyupivpjfnq
tenancy=ocid1.tenancy.oc1..aaa456y4e3yrtyue9f8djfihhwp2cu4e6t2b7lttna7rcgnhrdi4qzika
fingerprint=9f:af:df:f5:5g:95:92:7c:34:ab:46:d3:b4:30:e6:9e
region=us-phoenix-1
key_file=/home/dbauser/key.pem 

[PROFILE2] 
user=ocid1.user.oc1..aaaaaaaa4v768679dfhrd8989JHGJG36cqqcljd6yrcukszg7gzoymoyvkyupivpjfnq
tenancy=ocid1.tenancy.oc1..aaa456y4e3yrtyue987erum,gfwp2cu4e6t2b7lttna7rcgnhrdi4qzika
fingerprint=9f:af:c0:f5:7b:95:92:7c:03:a5:46:g3:b4:38:e6:9e
region=us-phoenix-1
key_file=C:\\Users\\dbauser\\key.pem

User OCID

(Defined Parameters) Defines an individual user within the OCI environment.

Tenancy OCID

(Defined Parameters) Defines the OCI Tenancy ID in OCI Functions, which is a global unique identifier for this account within the OCI environment.

Fingerprint

(Defined Parameters) Defines a fingerprint that is used to uniquely identify and verify the integrity of the associated certificate or key.

Private Key

(Defined Parameters) Defines the Private key within a set of API signing keys that are used for authentication and secure access to OCI resources.

Use External Vault

Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Config File Path

(Configuration File) Defines the path to the configuration file that contains authentication information. This file is stored on the Control-M/Agent.

Profile

(Configuration File) Defines the name of a specific section in the configuration file, such as, DEFAULT or PROFILE2 in the code sample above.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to OCI Functions before a timeout occurs.

Default: 30

OCI VM Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for OCI VM.

The following table describes the OCI Virtual Machine connection profile parameters.

Parameter

Description

OCI Instances URL

Defines the OCI Instances URL, in the following format:

https://iaas.<Region>.oraclecloud.com/20160918

OCI Region

Determines the region where the OCI Virtual Machine is located.

ux-phoenix-1

Authentication

Determines one of the following authentication methods:

  • Defined Parameters: Defines authentication parameters in the connection profile.

  • Configuration File: Uses a configuration file that contains authentication information and is stored on the Control-M/Agent.

The following example of a configuration file defines two profiles: DEFAULT for Linux and PROFILE2 for Windows.

Copy
[DEFAULT] 
user=ocid1.user.oc1..aaaaaaaa4vcihdfhrdtyry457245636cqqcljd6yrcukszg7gzoymoyvkyupivpjfnq
tenancy=ocid1.tenancy.oc1..aaa456y4e3yrtyue9f8djfihhwp2cu4e6t2b7lttna7rcgnhrdi4qzika
fingerprint=9f:af:df:f5:5g:95:92:7c:34:ab:46:d3:b4:30:e6:9e
region=us-phoenix-1
key_file=/home/dbauser/key.pem 

[PROFILE2] 
user=ocid1.user.oc1..aaaaaaaa4v768679dfhrd8989JHGJG36cqqcljd6yrcukszg7gzoymoyvkyupivpjfnq
tenancy=ocid1.tenancy.oc1..aaa456y4e3yrtyue987erum,gfwp2cu4e6t2b7lttna7rcgnhrdi4qzika
fingerprint=9f:af:c0:f5:7b:95:92:7c:03:a5:46:g3:b4:38:e6:9e
region=us-phoenix-1
key_file=C:\\Users\\dbauser\\key.pem

User OCID

(Defined Parameters) Defines an individual user within the OCI environment.

Tenancy OCID

(Defined Parameters) Defines the OCI Tenacy ID in the OCI VM, which is a global unique identifier for this account within the OCI environment.

Fingerprint

(Defined Parameters) Defines a fingerprint to uniquely identify and verify the integrity of the associated certificate or key.

Private Key

(Defined Parameters) Defines the Private key within a set of API signing keys that are used for authentication and secure access to OCI resources.

Config File Path

(Configuration File) Defines the path to the configuration file that contains authentication information. This file is stored on the Control-M/Agent.

Profile

(Configuration File) Defines the name of a specific section in the configuration file, for example, DEFAULT and PROFILE2 in the code sample above.

Use External Vault

Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to OCI VM before a timeout occurs.

Default: 20

VMware By Broadcom Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for VMware By Broadcom.

Parameter

Description

vCenter URL

Defines the URL of the vCenter server.

https://isr-vcenter.Domain.bmc.com

Username

Defines the name of the user to log in to VMware.

Password

Defines the password of the user to log in to VMware.

Connection Timeout

Determines the number of seconds to wait before a timeout occurs after Control-M initiates a connection request to VMware.

Default: 1000