diff --git a/AWSOktaTester/Models/AuthResponse.cs b/AWSOktaTester/Models/AuthResponse.cs
index ff7286e..f2bbb84 100644
--- a/AWSOktaTester/Models/AuthResponse.cs
+++ b/AWSOktaTester/Models/AuthResponse.cs
@@ -1,4 +1,18 @@
-using Newtonsoft.Json;
+// Copyright 2023 Keyfactor
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Newtonsoft.Json;
namespace AWSOktaTester.Models
{
diff --git a/AWSOktaTester/Program.cs b/AWSOktaTester/Program.cs
index a03379a..0a81318 100644
--- a/AWSOktaTester/Program.cs
+++ b/AWSOktaTester/Program.cs
@@ -1,4 +1,18 @@
-using System;
+// Copyright 2023 Keyfactor
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
using System.Text;
using Amazon;
using Amazon.CertificateManager;
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..8855b4b
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,9 @@
+1.2.0
+* Added OTKA Auth Path to support Authentication Servers outside of the default server.
+
+1.1.0
+* Added AWS IAM Authentication support with Roles
+
+1.0.0
+* Convert to Universal Orchestrator Framework
+* Added OKTA Authentication Support
diff --git a/README.md b/README.md
index 8777e2a..388259e 100644
--- a/README.md
+++ b/README.md
@@ -1,26 +1,24 @@
-# AWS
+# AWS Orchestrator
-AWS Certificate Manager.
+This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications. The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Extensions, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Extension see below in this readme. The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.
#### Integration status: Production - Ready for use in production environments.
-## About the Keyfactor Universal Orchestrator Capability
-This repository contains a Universal Orchestrator Capability which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications.
+## About the Keyfactor Universal Orchestrator Extension
-The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Capabilities, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Capability, see below in this readme.
+This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications.
-The Universal Orchestrator is the successor to the Windows Orchestrator. This Capability plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.
+The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Extensions, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Extension see below in this readme.
+The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.
-## Support for AWS
+## Support for AWS Orchestrator
-AWS is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative.
+AWS Orchestrator
###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
-___
-
---
@@ -28,10 +26,29 @@ ___
+## Keyfactor Version Supported
+
+The minimum version of the Keyfactor Universal Orchestrator Framework needed to run this version of the extension is 10.1
+
+## Platform Specific Notes
+
+The Keyfactor Universal Orchestrator may be installed on either Windows or Linux based platforms. The certificate operations supported by a capability may vary based what platform the capability is installed on. The table below indicates what capabilities are supported based on which platform the encompassing Universal Orchestrator is running.
+| Operation | Win | Linux |
+|-----|-----|------|
+|Supports Management Add|✓ |✓ |
+|Supports Management Remove|✓ |✓ |
+|Supports Create Store| | |
+|Supports Discovery| | |
+|Supports Renrollment| | |
+|Supports Inventory|✓ |✓ |
+
+
+
+
+
---
-***
## **Configuration**
**Overview**
@@ -57,51 +74,74 @@ AWS Certificate Manager is a service that lets you easily provision, manage, and
## **Installation**
Depending on your choice of authentication providers, choose the appropriate configuration section
-- [Okta Auth Configuration](#aws-certificate-manager-with-okta-auth-configuration)
-- [AWS IAM Auth Configuration](#aws-certificate-manager-with-iam-auth-configuration)
+
+AWS Certificate Manager with Okta Auth Configuration
+
+### AWS Setup
+1. A 3rd party [identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) similar to [this](/Images/AWSIdentityProvider.gif) needs to be setup in AWS for each account.
+2. An Aws [Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) similar to [this](/Images/AWSRole1.gif) needs Added for each AWS account.
+3. Ensure the [trust relationship](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html) is setup for that role. Should look like [this](/Images/AWSRole2.gif).
+
+### OKTA Setup
+1. Ensure your Authorization Server Is Setup in OKTA. Here is a [sample](/Images/OktaSampleAuthorizationServer.gif).
+2. Ensure the appropriate scopes are setup in Okta. Here is a [sample](/Images/OktaSampleAuthorizationServer-scopes.gif).
+3. Setup an Okta App with similar settings to [this](/Images/OktaApp1.gif) and [this](/Images/OktaApp2.gif).
+
+
+
+Cert Store Type and Cert Store Setup
-# AWS Certificate Manager with Okta Auth Configuration
Cert Store Type Settings
===============
+**Basic Settings:**
+
+CONFIG ELEMENT | VALUE | DESCRIPTION
+--|--|--
+Name | Any Custom Name | Display name for the store type (may be customized)
+Short Name| AWSCerManO | Short display name for the store type
+Custom Capability | N/A | Store type name orchestrator will register with. Check the box to allow entry of value
+Supported Job Types | Inventory, Add, Remove | Job types the extension supports
+Needs Server | Checked | Determines if a target server name is required when creating store
+Blueprint Allowed | Checked | Determines if store type may be included in an Orchestrator blueprint
+Uses PowerShell | Unchecked | Determines if underlying implementation is PowerShell
+Requires Store Password | Unchecked | Determines if a store password is required when configuring an individual store.
+Supports Entry Password | Unchecked | Determines if an individual entry within a store can have a password.
+
+
+**Advanced Settings:**
+
+CONFIG ELEMENT | VALUE | DESCRIPTION
+--|--|--
+Store Path Type | Freeform | Determines what restrictions are applied to the store path field when configuring a new store.
+Store Path Value | N/A | This is reserved for the AWS Account Id when setting up the store.
+Supports Custom Alias | Optional | Determines if an individual entry within a store can have a custom Alias.
+Private Keys | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store.
+PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.)
+
+**Custom Fields:**
+
+Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote
+target server containing the certificate store to be managed
+
+Name|Display Name|Type|Default Value / Options|Required|Description
+---|---|---|---|---|---
+scope | Okta OAuth Scope | string | N/A | Yes | This is the OAuth Scope needed for Okta OAuth
+grant_type | Okta OAuth Grant Type | string | N/A | Yes | In OAuth 2.0, the term “grant type” refers to the way an application gets an access token
+oauthpath | OKTA OAuth Path | string | /oauth2/default/v1/token | Yes | In path to the OAuth Server. It will Default to the Default Server. If you use something outside of the Default, change this.
+awsrole | AWS Assume Identity Role | string | N/A | Yes | This role has to be created in AWS IAM so you can assume an identity and get temp credentials
+awsregions | AWS Regions | string | N/A | Yes | This will be the list of regions for the account the store iterates through when doing inventory.
+
+
+**Entry Parameters:**
+
+Entry parameters are inventoried and maintained for each entry within a certificate store.
+They are typically used to support binding of a certificate to a resource.
+
+Name|Display Name| Type|Default Value|Required When|Description
+---|---|---|---|---|---
+AWS Region | AWS Region | Multiple Choice | us-east-1 | Adding | When enrolling, this is the Region that the Certificate will be enrolled to.
+
-Cert Store Types Settings - Basic
----------------
-| Section | Settings |
-| ----------- | ----------- |
-| Details | Name="Custom Name", Short Name="AWSCerManO" |
-| Supported Job Types | Inventory, Add, Remove |
-| General Settings | Needs Server, Blueprint Allowed |
-| Password Settings | Supports Entry Password |
-
-
-
-Cert Store Types Settings - Advanced
----------------
-| Section | Settings |
-| ----------- | ----------- |
-| Store Path Type | Freeform |
-| Other Settings | Supports Custom Alias=Optional, Private Key Handling=Optional, PFX Password Style=Default|
-
-
-
-Cert Store Types Settings - Custom Fields
----------------
-| Name | Display Name | Required | Type | Description |
-| ----------- | ----------- | ----------- | ----------- | ----------- |
-| scope | Okta OAuth Scope | True| string | This is the OAuth Scope needed for Okta OAuth
-| grant_type | Okta OAuth Grant Type | True | string | In OAuth 2.0, the term “grant type” refers to the way an application gets an access token
-| awsrole | AWS Assume Identity Role | True | string | This role has to be created in AWS IAM so you can assume an identity and get temp credentials
-| awsregions | AWS Regions | True | string | This will be the list of regions for the account the store iterates through when doing inventory.
-
-
-
-Cert Store Types Settings - Entry Params
----------------
-| Name | Display Name | Type | Default Value | Multiple Choice Questions | Required When |
-| ----------- | ----------- | ----------- | ----------- | ----------- | ----------- |
-| AWS Region | AWS Region | Multiple Choice | us-east-1 | us-east-1,us-east-2... | Adding an Entry, Reenrolling Entry |
-
-
Cert Store Settings
===============
@@ -113,96 +153,75 @@ Cert Store Settings
| 1 | Store Path | AWS Account Number | Unique account number obtained from AWS |
| 2 | Okta OAuth Scope | Look in Okta Setup for Scope | OAuth scope setup in the Okta Application |
| 3 | Okta OAuth Grant Type | client_credentials | This may vary depending on Okta setup but will most likely be this value. |
-| 4 | AWS Assume Identity Role | Whatever Role is setup in AWS | Role must allow a third identity provider in AWS with AWS Cert Manager full access. |
-| 5 | AWS Regions | us-east-1,us-east-2... | List of AWS Regions you want to inventory for the account above. |
-| 6 | Store Password | No Password Needed for this | Set to no password needed. |
+| 4 | OKTA OAuth Path | oauthpath | In path to the OAuth Server. It will Default to the Default Server. If you use something outside of the Default, change this. |
+| 5 | AWS Assume Identity Role | Whatever Role is setup in AWS | Role must allow a third identity provider in AWS with AWS Cert Manager full access. |
+| 6 | AWS Regions | us-east-1,us-east-2... | List of AWS Regions you want to inventory for the account above. |
+| 7 | Store Password | No Password Needed for this | Set to no password needed. |
-
+
+
-AWS Setup
-===============
-Identity Provider Setup
----------------
-A 3rd party [identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) similar to the one below needs to be setup in AWS for each account.
-
-
-AWS Role Setup
----------------
-An Aws [Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) Needs Added for each AWS account.
-
-
-Trust Relationship
----------------
-Ensure the [trust relationship](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html) is setup for that role. Should look like below:
-
-
-OKTA Setup
-===============
-Okta API - Settings
----------------
-Ensure your Authorization Server Is Setup in OKTA. Here is a sample below:
-
+
+ AWS Certificate Manager with IAM Auth Configuration
-Okta API - Scopes
----------------
-Ensure the appropriate scopes are setup in Okta. Here is a sample below:
-
+### AWS Setup
+1. An Aws [Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) Needs Added for the permissions you want to grant, see [sample](/Images/AWSRole1.gif).
+2. A [Trust Relationship](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html) is setup for that role. Should look like something like [this](/Images/AssumeRoleTrust.gif).
+3. AWS does not support programmatic access for AWS SSO accounts. The account used here must be a [standard AWS IAM User](/Images/UserAccount.gif) with an Access Key credential type.
-Okta App
----------------
-Setup an Okta App with similar settings to the screens below:
-
-
+
+Cert Store Type and Cert Store Setup
-# AWS Certificate Manager with IAM Auth Configuration
-NOTE FOR IAM AUTH:
+Cert Store Type Settings
+===============
+**Basic Settings:**
-AWS does not support programmatic access for AWS SSO accounts. The account used here must be a standard AWS IAM User with an Access Key credential type.
-
+CONFIG ELEMENT | VALUE | DESCRIPTION
+--|--|--
+Name | Any Custom Name | Display name for the store type (may be customized)
+Short Name| AWSCerManA | Short display name for the store type
+Custom Capability | N/A | Store type name orchestrator will register with. Check the box to allow entry of value
+Supported Job Types | Inventory, Add, Remove | Job types the extension supports
+Needs Server | Checked | Determines if a target server name is required when creating store
+Blueprint Allowed | Checked | Determines if store type may be included in an Orchestrator blueprint
+Uses PowerShell | Unchecked | Determines if underlying implementation is PowerShell
+Requires Store Password | Unchecked | Determines if a store password is required when configuring an individual store.
+Supports Entry Password | Unchecked | Determines if an individual entry within a store can have a password.
+**Advanced Settings:**
-Cert Store Type Settings
-===============
+CONFIG ELEMENT | VALUE | DESCRIPTION
+--|--|--
+Store Path Type | Freeform | Determines what restrictions are applied to the store path field when configuring a new store.
+Store Path Value | N/A | This is reserved for the AWS Account Id when setting up the store.
+Supports Custom Alias | Optional | Determines if an individual entry within a store can have a custom Alias.
+Private Keys | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store.
+PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.)
-Cert Store Types Settings - Basic
----------------
-| Section | Settings |
-| ----------- | ----------- |
-| Details | Name="Custom Name", Short Name="AWSCerManA" |
-| Supported Job Types | Inventory, Add, Remove |
-| General Settings | Needs Server, Blueprint Allowed |
-| Password Settings | Supports Entry Password |
-
+**Custom Fields:**
-Cert Store Types Settings - Advanced
----------------
-| Section | Settings |
-| ----------- | ----------- |
-| Store Path Type | Freeform |
-| Other Settings | Supports Custom Alias=Optional, Private Key Handling=Optional, PFX Password Style=Default|
+Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote
+target server containing the certificate store to be managed
-
+Name|Display Name|Type|Default Value / Options|Required|Description
+---|---|---|---|---|---
+awsrole | AWS Assume Identity Role | string | N/A | Yes | This role has to be created in AWS IAM so you can assume an identity and get temp credentials
+awsregions | AWS Regions | string | N/A | Yes | This will be the list of regions for the account the store iterates through when doing inventory.
-Cert Store Types Settings - Custom Fields
----------------
-| Name | Display Name | Required | Type | Description |
-| ----------- | ----------- | ----------- | ----------- | ----------- |
-| awsrole | AWS Assume Identity Role | True | string | This role has to be created in AWS IAM so you can assume an identity and get temp credentials
-| awsregions | AWS Regions | True | string | This will be the list of regions for the account the store iterates through when doing inventory.
-
+**Entry Parameters:**
-Cert Store Types Settings - Entry Params
----------------
-| Name | Display Name | Type | Default Value | Multiple Choice Questions | Required When |
-| ----------- | ----------- | ----------- | ----------- | ----------- | ----------- |
-| AWS Region | AWS Region | Multiple Choice | us-east-1 | us-east-1,us-east-2... | Adding an Entry, Reenrolling Entry |
+Entry parameters are inventoried and maintained for each entry within a certificate store.
+They are typically used to support binding of a certificate to a resource.
+
+Name|Display Name| Type|Default Value|Required When|Description
+---|---|---|---|---|---
+AWS Region | AWS Region | Multiple Choice | us-east-1 | Adding | When enrolling, this is the Region that the Certificate will be enrolled to.
-
Cert Store Settings
===============
@@ -215,18 +234,7 @@ Cert Store Settings
| 4 | User Name | IAM Access Key | Obtained from AWS |
| 5 | Password | IAM Access Secret | Obtained from the AWS |
-
-
-AWS Setup
-===============
-
-AWS Role Setup
----------------
-An Aws [Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) Needs Added for the permissions you want to grant.
-
-Trust Relationship
----------------
-Ensure the [trust relationship](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html) is setup for that role. Should look like below, where AssumeRoleTest is the account whose access key/secret you are using:
-
+
+
diff --git a/aws-orchestrator-core/CustomFields.cs b/aws-orchestrator-core/CustomFields.cs
index 7733a67..b9749a5 100644
--- a/aws-orchestrator-core/CustomFields.cs
+++ b/aws-orchestrator-core/CustomFields.cs
@@ -1,6 +1,18 @@
-using System;
-using System.ComponentModel;
+// Copyright 2023 Keyfactor
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+using System.ComponentModel;
using Newtonsoft.Json;
namespace Keyfactor.AnyAgent.AwsCertificateManager
@@ -25,6 +37,10 @@ public class OktaCustomFields : CustomFields
[JsonProperty("scope")]
[DefaultValue(false)]
public string Scope { get; set; }
+
+ [JsonProperty("oauthpath")]
+ [DefaultValue("/oauth2/default/v1/token")]
+ public string OAuthPath { get; set; }
}
public class IAMCustomFields : CustomFields
diff --git a/aws-orchestrator-core/Jobs/IAM/Inventory.cs b/aws-orchestrator-core/Jobs/IAM/Inventory.cs
index 6f9ee23..286ec25 100644
--- a/aws-orchestrator-core/Jobs/IAM/Inventory.cs
+++ b/aws-orchestrator-core/Jobs/IAM/Inventory.cs
@@ -1,20 +1,27 @@
-using Amazon;
+// Copyright 2023 Keyfactor
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Amazon;
using Amazon.CertificateManager;
using Amazon.CertificateManager.Model;
using Amazon.Runtime.Internal.Util;
using Amazon.SecurityToken.Model;
-
-using Keyfactor.AnyAgent.AwsCertificateManager.Models;
using Keyfactor.Logging;
using Keyfactor.Orchestrators.Common.Enums;
using Keyfactor.Orchestrators.Extensions;
-
using Microsoft.Extensions.Logging;
-
using Newtonsoft.Json;
-
-using RestSharp;
-
using System;
using System.Collections.Generic;
using System.Linq;
diff --git a/aws-orchestrator-core/Jobs/IAM/Management.cs b/aws-orchestrator-core/Jobs/IAM/Management.cs
index 7ffdff8..e7c3ebd 100644
--- a/aws-orchestrator-core/Jobs/IAM/Management.cs
+++ b/aws-orchestrator-core/Jobs/IAM/Management.cs
@@ -1,30 +1,36 @@
-using System;
+// Copyright 2023 Keyfactor
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
using System.IO;
using System.Linq;
using System.Net;
using System.Text;
-
using Amazon;
using Amazon.CertificateManager;
using Amazon.CertificateManager.Model;
using Amazon.Runtime.Internal.Util;
using Amazon.SecurityToken.Model;
-
-using Keyfactor.AnyAgent.AwsCertificateManager.Models;
using Keyfactor.Logging;
using Keyfactor.Orchestrators.Common.Enums;
using Keyfactor.Orchestrators.Extensions;
-
using Microsoft.Extensions.Logging;
-
using Newtonsoft.Json;
-
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.OpenSsl;
using Org.BouncyCastle.Pkcs;
-using RestSharp;
-
namespace Keyfactor.AnyAgent.AwsCertificateManager.Jobs.IAM
{
public class Management : IManagementJobExtension
diff --git a/aws-orchestrator-core/Jobs/Okta/Inventory.cs b/aws-orchestrator-core/Jobs/Okta/Inventory.cs
index 2b18a54..c15a8d5 100644
--- a/aws-orchestrator-core/Jobs/Okta/Inventory.cs
+++ b/aws-orchestrator-core/Jobs/Okta/Inventory.cs
@@ -1,20 +1,29 @@
-using Amazon;
+// Copyright 2023 Keyfactor
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Amazon;
using Amazon.CertificateManager;
using Amazon.CertificateManager.Model;
using Amazon.Runtime.Internal.Util;
using Amazon.SecurityToken.Model;
-
using Keyfactor.AnyAgent.AwsCertificateManager.Models;
using Keyfactor.Logging;
using Keyfactor.Orchestrators.Common.Enums;
using Keyfactor.Orchestrators.Extensions;
-
using Microsoft.Extensions.Logging;
-
using Newtonsoft.Json;
-
using RestSharp;
-
using System;
using System.Collections.Generic;
using System.Linq;
@@ -165,7 +174,7 @@ private AuthResponse OktaAuthenticate(InventoryJobConfiguration config)
try
{
_logger.MethodEntry();
- var oktaAuthUrl = $"https://{config.CertificateStoreDetails.ClientMachine}/oauth2/default/v1/token";
+ var oktaAuthUrl = $"https://{config.CertificateStoreDetails.ClientMachine}{CustomFields.OAuthPath}";
_logger.LogTrace($"Custom Field List: {CustomFields}");
_logger.LogTrace($"Okta Auth URL: {oktaAuthUrl}");
diff --git a/aws-orchestrator-core/Jobs/Okta/Management.cs b/aws-orchestrator-core/Jobs/Okta/Management.cs
index 6e49473..09e696c 100644
--- a/aws-orchestrator-core/Jobs/Okta/Management.cs
+++ b/aws-orchestrator-core/Jobs/Okta/Management.cs
@@ -1,24 +1,33 @@
-using System;
+// Copyright 2023 Keyfactor
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
using System.IO;
using System.Linq;
using System.Net;
using System.Text;
-
using Amazon;
using Amazon.CertificateManager;
using Amazon.CertificateManager.Model;
using Amazon.Runtime.Internal.Util;
using Amazon.SecurityToken.Model;
-
using Keyfactor.AnyAgent.AwsCertificateManager.Models;
using Keyfactor.Logging;
using Keyfactor.Orchestrators.Common.Enums;
using Keyfactor.Orchestrators.Extensions;
-
using Microsoft.Extensions.Logging;
-
using Newtonsoft.Json;
-
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.OpenSsl;
using Org.BouncyCastle.Pkcs;
@@ -311,7 +320,7 @@ private AuthResponse OktaAuthenticate(ManagementJobConfiguration config)
{
_logger.MethodEntry();
- var oktaAuthUrl = $"https://{config.CertificateStoreDetails.ClientMachine}/oauth2/default/v1/token";
+ var oktaAuthUrl = $"https://{config.CertificateStoreDetails.ClientMachine}{CustomFields.OAuthPath}";
_logger.LogTrace($"Custom Field List: {CustomFields}");
_logger.LogTrace($"Okta Auth URL: {oktaAuthUrl}");
diff --git a/aws-orchestrator-core/Models/AuthResponse.cs b/aws-orchestrator-core/Models/AuthResponse.cs
index 3ee03de..29ed92b 100644
--- a/aws-orchestrator-core/Models/AuthResponse.cs
+++ b/aws-orchestrator-core/Models/AuthResponse.cs
@@ -1,4 +1,18 @@
-using Newtonsoft.Json;
+// Copyright 2023 Keyfactor
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Newtonsoft.Json;
namespace Keyfactor.AnyAgent.AwsCertificateManager.Models
{
diff --git a/aws-orchestrator-core/Utilities.cs b/aws-orchestrator-core/Utilities.cs
index a8208c7..30d6d4f 100644
--- a/aws-orchestrator-core/Utilities.cs
+++ b/aws-orchestrator-core/Utilities.cs
@@ -1,5 +1,18 @@
-using System;
+// Copyright 2023 Keyfactor
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+using System;
using Amazon;
using Amazon.Runtime;
using Amazon.Runtime.Internal.Util;
diff --git a/integration-manifest.json b/integration-manifest.json
index 2f55bdd..d27beae 100644
--- a/integration-manifest.json
+++ b/integration-manifest.json
@@ -1,10 +1,222 @@
{
"$schema": "https://keyfactor.github.io/integration-manifest-schema.json",
"integration_type": "orchestrator",
- "name": "AWS",
+ "name": "AWS Orchestrator",
"status": "production",
- "support_level": "kf-supported",
- "update_catalog": true,
"link_github": true,
- "description": "AWS Certificate Manager."
-}
\ No newline at end of file
+ "description": "This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications. The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Extensions, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Extension see below in this readme. The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator.",
+ "about": {
+ "orchestrator": {
+ "UOFramework": "10.1",
+ "pam_support": false,
+ "win": {
+ "supportsCreateStore": false,
+ "supportsDiscovery": false,
+ "supportsManagementAdd": true,
+ "supportsManagementRemove": true,
+ "supportsReenrollment": false,
+ "supportsInventory": true,
+ "platformSupport": "Unused"
+ },
+ "linux": {
+ "supportsCreateStore": false,
+ "supportsDiscovery": false,
+ "supportsManagementAdd": true,
+ "supportsManagementRemove": true,
+ "supportsReenrollment": false,
+ "supportsInventory": true,
+ "platformSupport": "Unused"
+ },
+ "store_types": [
+ {
+ "Name": "AWS Cert Manager IAM Auth",
+ "ShortName": "AWSCerManA",
+ "Capability": "AWSCerManA",
+ "LocalStore": false,
+ "SupportedOperations": {
+ "Add": true,
+ "Create": false,
+ "Discovery": false,
+ "Enrollment": false,
+ "Remove": true
+ },
+ "Properties": [
+ {
+ "Name": "awsrole",
+ "DisplayName": "AWS Assume Identity Role",
+ "Type": "String",
+ "DependsOn": null,
+ "DefaultValue": null,
+ "Required": true
+ },
+ {
+ "Name": "awsregions",
+ "DisplayName": "AWS Regions",
+ "Type": "String",
+ "DependsOn": null,
+ "DefaultValue": null,
+ "Required": true
+ },
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "DependsOn": null,
+ "DefaultValue": null,
+ "Required": false
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": null,
+ "DefaultValue": null,
+ "Required": false
+ },
+ {
+ "Name": "ServerUseSsl",
+ "DisplayName": "Use SSL",
+ "Type": "Bool",
+ "DependsOn": null,
+ "DefaultValue": "true",
+ "Required": true
+ }
+ ],
+ "EntryParameters": [
+ {
+ "Name": "AWS Region",
+ "DisplayName": "AWS Region",
+ "Type": "String",
+ "RequiredWhen": {
+ "HasPrivateKey": false,
+ "OnAdd": true,
+ "OnRemove": false,
+ "OnReenrollment": false
+ }
+ }
+ ],
+ "PasswordOptions": {
+ "EntrySupported": false,
+ "StoreRequired": false,
+ "Style": "Default"
+ },
+ "PrivateKeyAllowed": "Optional",
+ "JobProperties": [
+ "AWS Region"
+ ],
+ "ServerRequired": true,
+ "PowerShell": false,
+ "BlueprintAllowed": true,
+ "CustomAliasAllowed": "Optional"
+ },
+ {
+ "Name": "AWS Certificate Manager With Okta Auth",
+ "ShortName": "AwsCerManO",
+ "Capability": "AwsCerManO",
+ "LocalStore": false,
+ "SupportedOperations": {
+ "Add": true,
+ "Create": false,
+ "Discovery": false,
+ "Enrollment": false,
+ "Remove": true
+ },
+ "Properties": [
+ {
+ "Name": "scope",
+ "DisplayName": "Okta OAuth Scope",
+ "Type": "String",
+ "DependsOn": null,
+ "DefaultValue": null,
+ "Required": true
+ },
+ {
+ "Name": "grant_type",
+ "DisplayName": "Okta OAuth Grant Type",
+ "Type": "String",
+ "DependsOn": null,
+ "DefaultValue": null,
+ "Required": true
+ },
+ {
+ "Name": "awsrole",
+ "DisplayName": "AWS Assume Identity Role",
+ "Type": "String",
+ "DependsOn": null,
+ "DefaultValue": null,
+ "Required": true
+ },
+ {
+ "Name": "awsregions",
+ "DisplayName": "AWS Regions",
+ "Type": "String",
+ "DependsOn": null,
+ "DefaultValue": null,
+ "Required": true
+ },
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "DependsOn": null,
+ "DefaultValue": null,
+ "Required": false
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "DependsOn": null,
+ "DefaultValue": null,
+ "Required": false
+ },
+ {
+ "Name": "ServerUseSsl",
+ "DisplayName": "Use SSL",
+ "Type": "Bool",
+ "DependsOn": null,
+ "DefaultValue": "true",
+ "Required": true
+ },
+ {
+ "Name": "oauthpath",
+ "DisplayName": "OKTA OAuth Path",
+ "Type": "String",
+ "DependsOn": null,
+ "DefaultValue": "/oauth2/default/v1/token",
+ "Required": true
+ }
+ ],
+ "EntryParameters": [
+ {
+ "Name": "AWS Region",
+ "DisplayName": "AWS Region",
+ "Type": "MultipleChoice",
+ "RequiredWhen": {
+ "HasPrivateKey": false,
+ "OnAdd": true,
+ "OnRemove": false,
+ "OnReenrollment": true
+ },
+ "DefaultValue": "us-east-1",
+ "Options": "us-east-1,us-east-2"
+ }
+ ],
+ "PasswordOptions": {
+ "EntrySupported": true,
+ "StoreRequired": false,
+ "Style": "Default"
+ },
+ "PrivateKeyAllowed": "Optional",
+ "JobProperties": [
+ "AWS Region"
+ ],
+ "ServerRequired": true,
+ "PowerShell": false,
+ "BlueprintAllowed": true,
+ "CustomAliasAllowed": "Optional"
+ }
+ ]
+ }
+ }
+}
diff --git a/readme_source.md b/readme_source.md
index e825ea4..5cf0b38 100644
--- a/readme_source.md
+++ b/readme_source.md
@@ -1,4 +1,3 @@
-***
## **Configuration**
**Overview**
@@ -24,51 +23,74 @@ AWS Certificate Manager is a service that lets you easily provision, manage, and
## **Installation**
Depending on your choice of authentication providers, choose the appropriate configuration section
-- [Okta Auth Configuration](#aws-certificate-manager-with-okta-auth-configuration)
-- [AWS IAM Auth Configuration](#aws-certificate-manager-with-iam-auth-configuration)
+
+AWS Certificate Manager with Okta Auth Configuration
+
+### AWS Setup
+1. A 3rd party [identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) similar to [this](/Images/AWSIdentityProvider.gif) needs to be setup in AWS for each account.
+2. An Aws [Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) similar to [this](/Images/AWSRole1.gif) needs Added for each AWS account.
+3. Ensure the [trust relationship](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html) is setup for that role. Should look like [this](/Images/AWSRole2.gif).
+
+### OKTA Setup
+1. Ensure your Authorization Server Is Setup in OKTA. Here is a [sample](/Images/OktaSampleAuthorizationServer.gif).
+2. Ensure the appropriate scopes are setup in Okta. Here is a [sample](/Images/OktaSampleAuthorizationServer-scopes.gif).
+3. Setup an Okta App with similar settings to [this](/Images/OktaApp1.gif) and [this](/Images/OktaApp2.gif).
+
+
+
+Cert Store Type and Cert Store Setup
-# AWS Certificate Manager with Okta Auth Configuration
Cert Store Type Settings
===============
+**Basic Settings:**
+
+CONFIG ELEMENT | VALUE | DESCRIPTION
+--|--|--
+Name | Any Custom Name | Display name for the store type (may be customized)
+Short Name| AWSCerManO | Short display name for the store type
+Custom Capability | N/A | Store type name orchestrator will register with. Check the box to allow entry of value
+Supported Job Types | Inventory, Add, Remove | Job types the extension supports
+Needs Server | Checked | Determines if a target server name is required when creating store
+Blueprint Allowed | Checked | Determines if store type may be included in an Orchestrator blueprint
+Uses PowerShell | Unchecked | Determines if underlying implementation is PowerShell
+Requires Store Password | Unchecked | Determines if a store password is required when configuring an individual store.
+Supports Entry Password | Unchecked | Determines if an individual entry within a store can have a password.
+
+
+**Advanced Settings:**
+
+CONFIG ELEMENT | VALUE | DESCRIPTION
+--|--|--
+Store Path Type | Freeform | Determines what restrictions are applied to the store path field when configuring a new store.
+Store Path Value | N/A | This is reserved for the AWS Account Id when setting up the store.
+Supports Custom Alias | Optional | Determines if an individual entry within a store can have a custom Alias.
+Private Keys | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store.
+PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.)
+
+**Custom Fields:**
+
+Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote
+target server containing the certificate store to be managed
+
+Name|Display Name|Type|Default Value / Options|Required|Description
+---|---|---|---|---|---
+scope | Okta OAuth Scope | string | N/A | Yes | This is the OAuth Scope needed for Okta OAuth
+grant_type | Okta OAuth Grant Type | string | N/A | Yes | In OAuth 2.0, the term “grant type” refers to the way an application gets an access token
+oauthpath | OKTA OAuth Path | string | /oauth2/default/v1/token | Yes | In path to the OAuth Server. It will Default to the Default Server. If you use something outside of the Default, change this.
+awsrole | AWS Assume Identity Role | string | N/A | Yes | This role has to be created in AWS IAM so you can assume an identity and get temp credentials
+awsregions | AWS Regions | string | N/A | Yes | This will be the list of regions for the account the store iterates through when doing inventory.
+
+
+**Entry Parameters:**
+
+Entry parameters are inventoried and maintained for each entry within a certificate store.
+They are typically used to support binding of a certificate to a resource.
+
+Name|Display Name| Type|Default Value|Required When|Description
+---|---|---|---|---|---
+AWS Region | AWS Region | Multiple Choice | us-east-1 | Adding | When enrolling, this is the Region that the Certificate will be enrolled to.
+
-Cert Store Types Settings - Basic
----------------
-| Section | Settings |
-| ----------- | ----------- |
-| Details | Name="Custom Name", Short Name="AWSCerManO" |
-| Supported Job Types | Inventory, Add, Remove |
-| General Settings | Needs Server, Blueprint Allowed |
-| Password Settings | Supports Entry Password |
-
-
-
-Cert Store Types Settings - Advanced
----------------
-| Section | Settings |
-| ----------- | ----------- |
-| Store Path Type | Freeform |
-| Other Settings | Supports Custom Alias=Optional, Private Key Handling=Optional, PFX Password Style=Default|
-
-
-
-Cert Store Types Settings - Custom Fields
----------------
-| Name | Display Name | Required | Type | Description |
-| ----------- | ----------- | ----------- | ----------- | ----------- |
-| scope | Okta OAuth Scope | True| string | This is the OAuth Scope needed for Okta OAuth
-| grant_type | Okta OAuth Grant Type | True | string | In OAuth 2.0, the term “grant type” refers to the way an application gets an access token
-| awsrole | AWS Assume Identity Role | True | string | This role has to be created in AWS IAM so you can assume an identity and get temp credentials
-| awsregions | AWS Regions | True | string | This will be the list of regions for the account the store iterates through when doing inventory.
-
-
-
-Cert Store Types Settings - Entry Params
----------------
-| Name | Display Name | Type | Default Value | Multiple Choice Questions | Required When |
-| ----------- | ----------- | ----------- | ----------- | ----------- | ----------- |
-| AWS Region | AWS Region | Multiple Choice | us-east-1 | us-east-1,us-east-2... | Adding an Entry, Reenrolling Entry |
-
-
Cert Store Settings
===============
@@ -80,96 +102,75 @@ Cert Store Settings
| 1 | Store Path | AWS Account Number | Unique account number obtained from AWS |
| 2 | Okta OAuth Scope | Look in Okta Setup for Scope | OAuth scope setup in the Okta Application |
| 3 | Okta OAuth Grant Type | client_credentials | This may vary depending on Okta setup but will most likely be this value. |
-| 4 | AWS Assume Identity Role | Whatever Role is setup in AWS | Role must allow a third identity provider in AWS with AWS Cert Manager full access. |
-| 5 | AWS Regions | us-east-1,us-east-2... | List of AWS Regions you want to inventory for the account above. |
-| 6 | Store Password | No Password Needed for this | Set to no password needed. |
+| 4 | OKTA OAuth Path | oauthpath | In path to the OAuth Server. It will Default to the Default Server. If you use something outside of the Default, change this. |
+| 5 | AWS Assume Identity Role | Whatever Role is setup in AWS | Role must allow a third identity provider in AWS with AWS Cert Manager full access. |
+| 6 | AWS Regions | us-east-1,us-east-2... | List of AWS Regions you want to inventory for the account above. |
+| 7 | Store Password | No Password Needed for this | Set to no password needed. |
-
+
+
-AWS Setup
-===============
-Identity Provider Setup
----------------
-A 3rd party [identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) similar to the one below needs to be setup in AWS for each account.
-
-
-AWS Role Setup
----------------
-An Aws [Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) Needs Added for each AWS account.
-
-
-Trust Relationship
----------------
-Ensure the [trust relationship](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html) is setup for that role. Should look like below:
-
-
-OKTA Setup
-===============
-Okta API - Settings
----------------
-Ensure your Authorization Server Is Setup in OKTA. Here is a sample below:
-
+
+ AWS Certificate Manager with IAM Auth Configuration
-Okta API - Scopes
----------------
-Ensure the appropriate scopes are setup in Okta. Here is a sample below:
-
+### AWS Setup
+1. An Aws [Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) Needs Added for the permissions you want to grant, see [sample](/Images/AWSRole1.gif).
+2. A [Trust Relationship](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html) is setup for that role. Should look like something like [this](/Images/AssumeRoleTrust.gif).
+3. AWS does not support programmatic access for AWS SSO accounts. The account used here must be a [standard AWS IAM User](/Images/UserAccount.gif) with an Access Key credential type.
-Okta App
----------------
-Setup an Okta App with similar settings to the screens below:
-
-
+
+Cert Store Type and Cert Store Setup
-# AWS Certificate Manager with IAM Auth Configuration
-NOTE FOR IAM AUTH:
+Cert Store Type Settings
+===============
+**Basic Settings:**
-AWS does not support programmatic access for AWS SSO accounts. The account used here must be a standard AWS IAM User with an Access Key credential type.
-
+CONFIG ELEMENT | VALUE | DESCRIPTION
+--|--|--
+Name | Any Custom Name | Display name for the store type (may be customized)
+Short Name| AWSCerManA | Short display name for the store type
+Custom Capability | N/A | Store type name orchestrator will register with. Check the box to allow entry of value
+Supported Job Types | Inventory, Add, Remove | Job types the extension supports
+Needs Server | Checked | Determines if a target server name is required when creating store
+Blueprint Allowed | Checked | Determines if store type may be included in an Orchestrator blueprint
+Uses PowerShell | Unchecked | Determines if underlying implementation is PowerShell
+Requires Store Password | Unchecked | Determines if a store password is required when configuring an individual store.
+Supports Entry Password | Unchecked | Determines if an individual entry within a store can have a password.
+**Advanced Settings:**
+
+CONFIG ELEMENT | VALUE | DESCRIPTION
+--|--|--
+Store Path Type | Freeform | Determines what restrictions are applied to the store path field when configuring a new store.
+Store Path Value | N/A | This is reserved for the AWS Account Id when setting up the store.
+Supports Custom Alias | Optional | Determines if an individual entry within a store can have a custom Alias.
+Private Keys | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store.
+PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.)
-Cert Store Type Settings
-===============
-Cert Store Types Settings - Basic
----------------
-| Section | Settings |
-| ----------- | ----------- |
-| Details | Name="Custom Name", Short Name="AWSCerManA" |
-| Supported Job Types | Inventory, Add, Remove |
-| General Settings | Needs Server, Blueprint Allowed |
-| Password Settings | Supports Entry Password |
+**Custom Fields:**
-
+Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote
+target server containing the certificate store to be managed
-Cert Store Types Settings - Advanced
----------------
-| Section | Settings |
-| ----------- | ----------- |
-| Store Path Type | Freeform |
-| Other Settings | Supports Custom Alias=Optional, Private Key Handling=Optional, PFX Password Style=Default|
+Name|Display Name|Type|Default Value / Options|Required|Description
+---|---|---|---|---|---
+awsrole | AWS Assume Identity Role | string | N/A | Yes | This role has to be created in AWS IAM so you can assume an identity and get temp credentials
+awsregions | AWS Regions | string | N/A | Yes | This will be the list of regions for the account the store iterates through when doing inventory.
-
-Cert Store Types Settings - Custom Fields
----------------
-| Name | Display Name | Required | Type | Description |
-| ----------- | ----------- | ----------- | ----------- | ----------- |
-| awsrole | AWS Assume Identity Role | True | string | This role has to be created in AWS IAM so you can assume an identity and get temp credentials
-| awsregions | AWS Regions | True | string | This will be the list of regions for the account the store iterates through when doing inventory.
+**Entry Parameters:**
-
+Entry parameters are inventoried and maintained for each entry within a certificate store.
+They are typically used to support binding of a certificate to a resource.
-Cert Store Types Settings - Entry Params
----------------
-| Name | Display Name | Type | Default Value | Multiple Choice Questions | Required When |
-| ----------- | ----------- | ----------- | ----------- | ----------- | ----------- |
-| AWS Region | AWS Region | Multiple Choice | us-east-1 | us-east-1,us-east-2... | Adding an Entry, Reenrolling Entry |
+Name|Display Name| Type|Default Value|Required When|Description
+---|---|---|---|---|---
+AWS Region | AWS Region | Multiple Choice | us-east-1 | Adding | When enrolling, this is the Region that the Certificate will be enrolled to.
-
Cert Store Settings
===============
@@ -182,17 +183,6 @@ Cert Store Settings
| 4 | User Name | IAM Access Key | Obtained from AWS |
| 5 | Password | IAM Access Secret | Obtained from the AWS |
-
-
-AWS Setup
-===============
-
-AWS Role Setup
----------------
-An Aws [Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) Needs Added for the permissions you want to grant.
-
-Trust Relationship
----------------
-Ensure the [trust relationship](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html) is setup for that role. Should look like below, where AssumeRoleTest is the account whose access key/secret you are using:
-
\ No newline at end of file
+
+