Container Orchestration Connection Profiles
The following topics describe the connection profile parameters for container orchestration:
AWS ECS Connection Profile Parameters
Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.
For more information about this plug-in, see
The following table describes the AWS ECS connection profile parameters.
Parameter |
Description |
---|---|
AWS ECS URL |
Defines the AWS ECS authentication endpoint. https://ecs.us-east-1.amazonaws.com |
Cloud Watch URL |
Defines the Cloud Watch authentication endpoint. https://logs.us-east-1.amazonaws.com |
AWS Region |
Determines the region where the AWS ECS jobs are located. us-east-1 |
Authentication Method |
Determines one of the following authentication methods:
|
AWS Access Key |
Defines the AWS ECS account access key. |
AWS Secret |
Defines the AWS ECS account secret access key. |
AWS IAM Role |
Defines the Identity and Access Management (IAM) role for the AWS ECS connection. |
Use External Vault |
Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles. |
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request to AWS ECS before a timeout occurs. Default: 30 |
AWS App Runner Connection Profile Parameters
Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.
For more information about this plug-in, see Control-M for AWS App Runner.
The following table describes the AWS App Runner connection profile parameters.
Parameter |
Description |
---|---|
AWS App Runner URL |
Defines the AWS App Runner authentication endpoint. https://apprunner.us-east1.amazonaws.com |
AWS Region |
Determines the region where the AWS App Runner jobs are located. us-east-1 |
Authentication Method |
Determines one of the following authentication methods:
|
AWS Access Key |
Defines the AWS App Runner account access key. |
AWS Secret |
Defines the AWS App Runner account secret access key. |
IAM Role |
Defines the Identity and Access Management (IAM) role for the AWS App Runner connection. |
Use External Vault |
Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles. |
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request to AWS App Runner before a timeout occurs. Default: 20 |
Azure Container Instances Connection Profile Parameters
Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.
For more information about this plug-in, see Control-M for Azure Container Instances.
The following table describes the Azure Container Instances connection profile parameters.
Parameter |
Identity Type |
Description |
---|---|---|
Subscription ID |
All Types |
Defines the Azure account subscription ID, which is located in the Azure portal. |
Authentication Method |
NA |
Determines one of the following authentication methods to connect to Azure Container Instance:
Managed Identity authentication is based on an Azure token that is valid for 24 hours, by default. You can extend the Token lifetimes in Azure. |
Specify Managed Identity Client ID |
Managed Identity |
Determines whether the client ID for the managed identity is specified by the Managed Identity Client ID parameter. Use this option if your Azure virtual machine has multiple managed identities. |
Managed Identity Client ID |
Managed Identity |
Determines which client ID to use as the managed identity. You only need to complete this field if your Azure virtual machine instance has multiple managed identities and you have selected the Specify Managed Identity Client ID checkbox. If you only have one ID, it is detected automatically. |
Tenant ID |
Service Principal |
Defines the Tenant ID where the Azure Container instance is created. |
Application ID |
Service Principal |
Defines the Azure application ID of a Service Principal that has access to interact with Azure Container instances. The service principal must be an Azure Container Instance workspace user with a Contributor or Owner role. |
Client Secret |
Service Principal |
Defines the password associated with the Azure user and the application. |
Use External Vault |
All Types |
Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles. |
Login URL |
All Types |
Defines the Azure AD authentication endpoint base URL. https://login.microsoftonline.com Do not change the default value unless you are required to by your Azure Administrator. |
Management URL |
All Types |
Defines the Azure service endpoint that enables you to perform API calls and retrieve the token for authentication. Default: https://management.azure.com Do not change the default value unless you are required to by your Azure Administrator. |
Connection Timeout |
All Types |
Determines the number of seconds to wait after Control-M initiates a connection request to Azure Container Instances before a timeout occurs. Default: 50 |
GCP Cloud Run Connection Profile Parameters
Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.
For more information about this plug-in, see Control-M for GCP Cloud Run.
The following table describes the GCP Cloud Run connection profile parameters.
Parameter |
Description |
---|---|
Identity Type |
Determines one of the following authentication types using GCP Access Control:
|
Cloud Run URL |
Defines the Google Cloud Platform (GCP) authentication endpoint for Cloud Run. https://run.googleapis.com |
Service Account Key |
(Service Account) Defines a service account that is associated with an RSA key pair. |
Use External Vault |
Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles. |
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request to GCP Cloud Run before a timeout occurs. Default: 20 seconds |
Kubernetes Connection Profile Parameters
Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.
For more information about this plug-in, see
The following table describes the Kubernetes connection profile parameters.
Parameter |
Description |
---|---|
Namespace |
Defines the name of the Kubernetes namespace. |
Spec Endpoint URL |
Defines an endpoint URL if you want the Kubernetes job spec to be retrieved from a remote location at the time of job execution (instead of uploading the job spec YAML file during job definition). |
Authentication Type |
Determines the type of authentication to use for the connection to the endpoint URL for remote retrieval of the Kubernetes job spec:
|
User Name |
(Basic authentication) Defines the basic authentication username. |
Password |
(Basic authentication) Defines the basic authentication password. |
Use preemptive authentication |
(Basic authentication) Determines whether to use preemptive authentication. |
Use basic authentication |
(OAuth2) Determines whether to add basic authentication to the OAuth2 authentication. |
OAuth2 API URL |
(OAuth2) Defines the OAuth2 web service URL. |
Grant Type |
(OAuth2) Determines one of the following OAuth2 grant types, which determines the type of communication with the OAuth2 web service:
|
Client ID |
(OAuth2) Defines the user ID associated with the Web Services REST user and application. |
Client Secret |
(OAuth2) Defines the secret (password) associated with the Web Services REST user and application. |
User Name |
(OAuth2) Defines an additional grant username. |
Password |
(OAuth2) Defines an additional grant |
Content Type |
(OAuth2) Defines the content type. application/x-www-form-urlencoded |
Headers |
(OAuth2) Defines OAuth2 header parameters, as Key:Value pairs. |
Body |
(OAuth2) Defines OAuth2 body parameters, as Key:Value pairs. |
Region |
(AWS) Defines the AWS region. eu-west-2 |
Custom Service Name |
(AWS) Defines the AWS service to access. |
Authentication Method |
(AWS) Determines one of the following authentication methods:
|
IAM Role |
(AWS) Defines the Identity and Access Management (IAM) role for the AWS connection. |
Access Key |
(AWS) Defines the AWS account access key. |
Secret Access Key |
(AWS) Defines the AWS account secret access key. |
Token Type |
(Google) Determines one of the following token types for GCP Access Control:
|
Service Account Key |
(Google) Defines a service account that is associated with an RSA key pair. |
Use External Vault |
Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles. |
Kubernetes Cluster URL |
Defines the URL for the connection to the Kubernetes cluster. Default: https://kubernetes.default.svc |
Service Token File |
Defines the path to the token file for the connection to Kubernetes. Default: /var/run/secrets/kubernetes.io/serviceaccount/token |
Connection Timeout |
Determines the number of seconds to wait after Control-M initiates a connection request to Kubernetes before a timeout occurs. Default: 50 seconds |