Amazon SQS and SNS Connection Shared Resource

This Amazon SQS and SNS Connection shared resource is required by all SQS and SNS activities as it provides the AWS client object that mediates all interactions with the AWS messaging system.

General

This section includes the following fields:

Field Module Property? Description
Package No Name of the package. By default, the value of the field is the name of the package in which the resource is created. You can change the field value by clicking icon.
Name No Name of the connection. You can change the field value by clicking icon.
Description No The user can provide additional description about the connection.

SQS SNS Client Configuration

You can provide information required to establish the connection with Amazon SQS and SNS. You can configure the connection using AWS Credential, SAML Authentication, or Container Credentials.

Note: To enable the AWS regional endpoint for STS (Security Token Service), set the JVM argument as:

-Dcom.tibco.​aws.useregionalendpoint=true

The following table describes the fields:
Condition Applicable Field Module Property? Description
N/A AWS Region Name Yes The name of the AWS region to which you want to connect. For a complete list of regions, see AWS documentation.
N/A Authentication Type Yes You can use the following types of authentication:
  • AWS Credential
  • SAML Authentication
  • Container Credentials
  • Default Credentials Provider Chain
Note: Container Credentials authentication type is loaded from the Amazon ECS when the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set. For information on Amazon ECS container credentials, see AWS documentation.
Available only when the Authentication Type is selected as AWS Credential. AWS Key ID Yes This is the ID of the secret key for AWS. Keys can be created through the AWS console and downloaded as csv files.
AWS Secret Yes This is the encrypted secret key for access to AWS.
Cross Account Access No Use the AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources. This parameter uses cross-account access temporary security credentials created by AssumeRole. For information on Temporary Security Credentials, see AWS documentation.
Available only when the Authentication Type is selected as AWS Credential and Cross Account Access check-box is selected Role ARN Yes The Amazon Resource Name (ARN) of the role to assume. For more information on RoleARN, see AWS documentation.
Role Session Name Yes An identifier for the assumed role session used to uniquely identify a session when the same role is assumed by different principals or for different reasons. For more information on RoleSessionName, see AWS documentation.
External ID Yes A unique identifier that might be required when you assume a role in another account. It is used to address the confused deputy problem. For more information on ExternalId, see AWS documentation.
Expiration Duration (min) Yes

Parameter to specify the duration in minutes for which the temporary security credentials remain valid using AssumeRole. For more information on ExpirationDuration, see AWS documentation.

Available only when the Authentication Type is selected as SAML Authentication. Identity Provider (IdP) No The service provider that manages your user identities. With an IdP, you can manage user identities outside of AWS instead of creating AWS Identity and Access Management (IAM) users in your account. After establishing the trust relationship between IdP and AWS, your users can access AWS resources using their corporate credentials. The following identity providers can be used:
  • PingFederate
  • ADFS
Note: Ensure that Form authentication is enabled for the identity provider.
Identity Provider Login URL Yes

IdP login URL that is generated when you configure the identity provider in the identity provider console.

Example URL for PingFederate: https://<host>:<port>/idp/startSSO.ping?PartnerSpId=urn%3Aamazon%3Awebservices

Example URL for ADFS: https://<host>:<port>/adfs/ls/ IdpInitiatedSignOn.aspx? loginToRp=urn:amazon: webservices

Username Yes User name that is configured with your identity provider
Password Yes Password that is configured with your identity provider
AWS Role Yes AWS IAM role
Token Expiration Duration Yes Duration for which the token is valid
Note: This is configured in AWS IAM policy when creating the role. If the user specifies the value as 0, the value is taken as 60 minutes.
SSL Client Configuration No Establishes secure connection with the identity provider

For more information about SSL Client Configuration, see the "Shared Resource" section of the TIBCO ActiveMatrix BusinessWorks™ Bindings and Palettes Reference guide.

Use Proxy Yes The call to the identity provider through the proxy can be enabled when using Advanced configuration with a custom client type.
Note: To enable basic authentication, set JVM argument as

-Djdk.http.auth.tunneling.disabledSchemes=

For more information, see setting bwappnode-<AppNodeName>.tra file in "Setting JVM Parameters for the AppNode Manually" section in the TIBCO ActiveMatrix BusinessWorks documentation.

With TIBCO BusinessStudio for BusinessWorks : Add this argument in <BW_HOME>\studio\<version>\eclipse\TIBCOBusinessStudio.ini file.

Custom Client Config

SQS Default Client Config choose a predefined configuration or create a custom configuration.
Note: The DynamoDB and SimpleWorkFlow configurations are provided in case the client defaults for those clients who closely match your desired configuration.

For other situations where the default configuration is not optimal, use the custom configuration. You can configure the HTTP proxy in the custom configuration. For more information about setting a proxy, see Setting Proxy.

For detailed descriptions of custom configuration, see Client Configuration on AWS documentation.