Container Orchestration Connection Profiles

The following topics describe the connection profile parameters for container orchestration:

AWS ECS Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for AWS ECS.

The following table describes the AWS ECS connection profile parameters.

Parameter

Description

AWS ECS URL

Defines the AWS ECS authentication endpoint.

https://ecs.us-east-1.amazonaws.com

Cloud Watch URL

Defines the Cloud Watch authentication endpoint.

https://logs.us-east-1.amazonaws.com

AWS Region

Determines the region where the AWS ECS jobs are located.

us-east-1

Authentication Method

Determines one of the following authentication methods:

  • AWS Key & Secret: Authenticates with an AWS access key and secret, which are used for services outside the AWS infrastructure.

  • AWS IAM Role: Authenticates with an AWS IAM role from within the AWS infrastructure, which removes the need to provide additional credentials.

AWS Access Key

Defines the AWS ECS account access key.

AWS Secret

Defines the AWS ECS account secret access key.

AWS IAM Role

Defines the Identity and Access Management (IAM) role name for the AWS ECS connection.

Use External Vault

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 30

AWS App Runner Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for AWS App Runner.

The following table describes the AWS App Runner connection profile parameters.

Parameter

Description

AWS App Runner URL

Defines the AWS App Runner authentication endpoint.

https://apprunner.us-east1.amazonaws.com

AWS Region

Determines the region where the AWS App Runner jobs are located.

us-east-1

Authentication Method

Determines one of the following authentication methods:

  • AWS Key & Secret: Authenticates with an AWS access key and secret, which are used for services outside the AWS infrastructure.

  • AWS IAM Role: Authenticates with an AWS IAM role from within the AWS infrastructure, which removes the need to provide additional credentials.

AWS Access Key

Defines the AWS App Runner account access key.

AWS Secret

Defines the AWS App Runner account secret access key.

IAM Role

Defines the Identity and Access Management (IAM) role name for the AWS App Runner connection.

Use External Vault

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 20

Azure Container Instances Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for Azure Container Instances.

The following table describes the Azure Container Instances connection profile parameters.

Parameter

Identity Type

Description

Subscription ID

Service Principal

Managed Identity

Defines the Azure account ID of your organization.

Authentication Method

Service Principal

Managed Identity

Determines one of the following authentication methods:

  • Service Principal: Access protected Azure services and resources based on roles assigned to the Service Principal by the Azure administrator. The Service Principal is also known as an App Registration. Use this method if the Control-M/Agent is installed on-premises or with another (non-Azure) cloud vendor.

  • Managed Identity: Access protected Azure services and resources using a key created and managed by the Azure platform, without login credentials. Use this method if the Control-M/Agent is installed on an Azure virtual machine that has a Managed Identity with the required permissions.

Specify Managed Identity Client ID

Managed Identity

Determines whether the Managed Identity is specified by the Managed Identity Client ID parameter.

Toggle on this option when you use the Managed Identity authentication method and your Azure virtual machine has multiple Managed Identities.

Managed Identity Client ID

Managed Identity

Defines the client ID of the Managed Identity that is used for access. If only one Managed Identity is defined on your Azure virtual machine, it is detected automatically, and you can leave this parameter empty.

Tenant ID

Service Principal

Defines the Azure tenant ID for your organization.

Application ID

Service Principal

Defines the Registered App for the Azure service in your Microsoft Entra/Azure AD tenant. The corresponding Service Principal must be assigned the Owner or Contributor role for the Azure service.

Client Secret

Service Principal

Defines the password associated with the Service Principal/registered application.

Use External Vault

Service Principal

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Login URL

Service Principal

Managed Identity

Defines the base URL of the Microsoft Entra/Azure AD authentication endpoint.

Default:https://login.microsoftonline.com

Management URL

Service Principal

Managed Identity

Defines the Azure service endpoint that enables you to perform API calls and retrieve the token for authentication.

Default: https://management.azure.com

Do not change the default value unless you are required to by your Azure Administrator.

Connection Timeout

Service Principal

Managed Identity

Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 50

GCP Cloud Run Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Control-M for GCP Cloud Run.

The following table describes the GCP Cloud Run connection profile parameters.

Parameter

Description

Identity Type

Determines one of the following authentication types using GCP Access Control:

  • Service Account: Authenticates using an application ID (service account) and client secret.

  • IAM: Authenticates based on a detected IAM role, which removes the need to provide additional credentials.

Cloud Run URL

Defines the Google Cloud Platform (GCP) authentication endpoint for Cloud Run.

https://run.googleapis.com

Service Account Key

(Service Account) Defines a service account that is associated with an RSA key pair.

Use External Vault

Determines whether to retrieve secret parameter values from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 20 seconds

Kubernetes Connection Profile Parameters

Before you can define a job, you must create a connection profile in the Configuration domain. A connection profile contains authorization credentials—such as the username, password, and other plug-in-specific parameters—and enables you to connect to the application server with only the connection profile name. To create a connection profile, see Creating a Centralized Connection Profile.

For more information about this plug-in, see Helix Control-M for Kubernetes.

The following table describes the Kubernetes connection profile parameters.

Parameter

Description

Namespace

Defines the name of the Kubernetes namespace.

Spec Endpoint URL

Defines an endpoint URL if you want the Kubernetes job spec to be retrieved from a remote location at the time of job execution (instead of uploading the job spec YAML file during job definition).

Authentication Type

Determines the type of authentication to use for the connection to the endpoint URL for remote retrieval of the Kubernetes job spec:

  • None

  • Basic

  • OAuth2

  • AWS

  • Google

User Name

(Basic authentication) Defines the basic authentication username.

Password

(Basic authentication) Defines the basic authentication password.

Use preemptive authentication

(Basic authentication) Determines whether to use preemptive authentication.

Use basic authentication

(OAuth2) Determines whether to add basic authentication to the OAuth2 authentication.

OAuth2 API URL

(OAuth2) Defines the OAuth2 web service URL.

Grant Type

(OAuth2) Determines one of the following OAuth2 grant types, which determines the type of communication with the OAuth2 web service:

  • Client credentials: Requests a client ID and secret.

  • Password: Requests an additional access token username and password, which provides additional security.

Client ID

(OAuth2) Defines the user ID associated with the Web Services REST user and application.

Client Secret

(OAuth2) Defines the secret (password) associated with the Web Services REST user and application.

User Name

(OAuth2) Defines an additional grant username.

Password

(OAuth2) Defines an additional grant

Content Type

(OAuth2) Defines the content type.

application/x-www-form-urlencoded

Headers

(OAuth2) Defines OAuth2 header parameters, as Key:Value pairs.

Body

(OAuth2) Defines OAuth2 body parameters, as Key:Value pairs.

Region

(AWS) Defines the AWS region.

eu-west-2

Custom Service Name

(AWS) Defines the AWS service to access.

Authentication Method

(AWS) Determines one of the following authentication methods:

  • IAM Role: Authenticates with an AWS IAM role from within the AWS infrastructure.

  • Access & Secret Keys: Authenticates with an AWS access key and secret.

IAM Role

(AWS) Defines the Identity and Access Management (IAM) role name for the AWS connection.

Access Key

(AWS) Defines the AWS account access key.

Secret Access Key

(AWS) Defines the AWS account secret access key.

Token Type

(Google) Determines one of the following token types for GCP Access Control:

  • Access token

  • Identity token

Service Account Key

(Google) Defines a service account that is associated with an RSA key pair.

Use External Vault

Determines whether to locate and retrieve a secret from an external vault, as described in CyberArk Secret Parameters in Connection Profiles.

Kubernetes Cluster URL

Defines the URL for the connection to the Kubernetes cluster.

Default: https://kubernetes.default.svc

Service Token File

Defines the path to the token file for the connection to Kubernetes.

Default: /var/run/secrets/kubernetes.io/serviceaccount/token

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to Kubernetes before a timeout occurs.

Default: 50 seconds