Amazon S3 Shared Resource Connection
The Amazon connection is a shared resource that describes the Amazon connection. You can use the Amazon S3 shared connection resource to specify the configuration details that connects an Amazon S3 Client to an Amazon S3 instance.
General
The General tab shows the package that stores the Amazon S3 shared resource and the shared resource name. You can also provide a description for the shared resource in this tab.
The following table describes the fields on the General tab of the Amazon S3 shared resource:
Field | Module Property? | Description |
---|---|---|
Package | No | Package to be added |
Name | No | Name to be displayed as a label for the shared resource |
Description | No | A short description for this shared resource |
Amazon Connection Configuration
You can provide information required to establish the connection with Amazon S3. You can configure the connection using AWS Credential, SAML Authentication or Container Credentials.
-Dcom.tibco.aws.useregionalendpoint=true
com.tibco.aws.useregionalendpoint=true
in the tibcohome\studio\<version>\eclipse\Configuration\config.ini
file.The following table describes the fields:
Condition Applicable | Field | Module Property? | Description |
---|---|---|---|
N/A | AWS Region Name | Yes | The name of the AWS region to which you want to connect. For a complete list of regions, refer to the AWS documentation. |
N/A | Authentication Type | Yes | There are following types of authentication that you can use:
Note: Container Credentials authentication type is loaded from the Amazon ECS when the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_
URI is set. For more information about Amazon ECS container credentials, see AWS documentation. |
Available only when the Authentication Type is selected as AWS Credential. | AWS Key ID | Yes | This is the ID of the secret key for AWS. Keys can be created through the AWS console and downloaded as CSV files. |
AWS Secret | Yes | This is the encrypted secret key for access to AWS. | |
Session Token | Yes |
Along with AWS Key ID and AWS Secret the plug-in now supports Session Token field. Session Token is the temporary security credentials used for multi-factor authentication. Note: When the Session Token is provided the AWS credentials are treated as temporary session credentials otherwise they are static IAM credentials.
|
|
Cross Account Access | Yes | Use the AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources. This parameter uses cross-account access temporary security credentials created by
AssumeRole.
For more information about Temporary Security Credentials, see the AWS documentation. |
|
Available only when the Authentication Type is selected as AWS Credential or Container Credentials and Cross Account Access checkbox is selected | Role ARN | Yes | The Amazon Resource Name (ARN) of the role to assume. For more information, refer to the AWS documentation for further details on RoleARN. |
Role Session Name | Yes | An identifier for the assumed role session used to uniquely identify a session when the same role is assumed by different principals or for different reasons. For more information refer to the AWS documentation for further details on RoleSessionName. | |
External ID | Yes | A unique identifier that might be required when you assume a role in another account. It is used to address the confused deputy problem. For more information refer to the AWS documentation for on ExternalId. | |
Expiration Duration (min) | Yes |
Parameter to specify the duration in minutes for which the temporary security credentials remain valid using AssumeRole. For more information refer to the AWS documentation for further details on ExpirationDuration. |
|
Available only when the Authentication Type is selected as SAML Authentication. | Identity Provider (IdP) | No | The service provider that manages your user identities. With an identity provider, you can manage user identities outside of AWS instead of creating AWS Identity and Access Management (IAM) users in your account. After establishing the trust relationship between the identity provider and AWS, your users can access AWS resources using their corporate credentials. The following identity providers can be used:
Note: Ensure that Form authentication is enabled for the identity provider.
Note: While using ADFS IdP, if the Windows Integrated Authentication (WIA) is enabled and it is accessed by using Intranet, then set the system property
-Dcom.tibco.bw.awsplugins.saml.useragent
For more information, refer ADFS doc. |
Identity Provider Login URL | Yes |
The login URL that is generated when you configure the identity provider in the identity provider console. Example URL for PingFederate: https://<host>:<port>/idp/startSSO.ping?PartnerSpId=urn%3Aamazon%3Awebservices Example URL for ADFS: https://<host>:<port>/adfs/ls/ IdpInitiatedSignOn.aspx? loginToRp=urn:amazon: webservices |
|
Username | Yes | Username that is configured with your identity provider | |
Password | Yes | Password that is configured with your identity provider | |
AWS Role | Yes | AWS IAM role | |
Token Expiration Duration | Yes | Duration for which the token is valid.
Note: This is configured in AWS IAM policy when creating the role. If you specify the value as 0, the value is equivalent to 60 minutes.
|
|
SSL Client Configuration | No | Establishes secure connection with IdP
For more information about SSL Client Configuration, see the "Shared Resource" section of the TIBCO ActiveMatrix BusinessWorks™ Bindings and Palettes Reference guide. |
|
Use Proxy | Yes | The call to the identity provider through the proxy can be enabled when using
Advanced configuration with a custom client type.
Note: To enable basic authentication, set JVM argument as:
-Djdk.http.auth.tunneling.disabledSchemes= Please refer to setting bwappnode-<AppNodeName>.tra file in "Setting JVM Parameters for the AppNode Manually" section in the TIBCO ActiveMatrix BusinessWorks documentation. With TIBCO BusinessStudio for BusinessWorks : Add this argument in <BW_HOME>\studio\<version>\eclipse\TIBCOBusinessStudio.ini file. |
|
N/A | Custom Endpoint | Yes |
The Custom Endpoint is the URL of the entry point for an AWS web service. It serves as a gateway for accessing AWS S3 buckets. Note: For Custom Endpoint the AWS Region Name field is mandatory for the shared resource.
Note: Use the following property if the Cross Account Access checkbox is selected and the deployment environment is in a Virtual Private Cloud.
-Dcom.tibco.aws.useregionalendpoint=true |
N/A | Path-Style Access | No |
To enable the Path-Style Access, select the Path-Style Access checkbox Note: Select this checkbox, if you are deploying the projects in the TCI environment and your S3 environment is in a Virtual Private Cloud (VPC).
|
Amazon Connection Advanced Configuration
The following table describes the fields in the Amazon Connection Advanced Configuration tab of the Amazon S3 shared resource:
Field | Module Property? | Description |
---|---|---|
Client Type | No | Select between the default or customized AWS client configuration
Defaults to the default client type |
Connection Timeout | Yes | Number of milliseconds that the attempt to create an AWS client connection waits before timing out
Defaults to 10 seconds |
ClientExecutionTimeout | Yes | Default HTTP timeout for all requests made on this connection
Disabled by default: 0 seconds |
MaxErrorRetry | Yes | Number of retries the AWS client attempts for HTTP error code 5xx before reporting an error |
RequestTimeout | Yes | Number of milliseconds any request can take before being timed out.
A request may constitute several individual HTTP requests. This is the difference between this setting and the ClientExecutionTimeout setting. Disabled by default: 0 |
Use Gzip | Yes | Uses Gzip communications
Defaults to false |
Use Proxy Settings | No | Enables or disables the fields related to proxy settings
Disabled by default. If disabled no proxy server is used. |
NonProxy Hosts | Yes | List of hosts that should be reached directly, bypassing the proxy.
This is a list of patterns separated by '|'. The patterns might start or ends with a '*' for wildcards. Any host matching one of these patterns is reached through a direct connection instead of through the proxy. |
Preemptive Basic Proxy Auth | Yes | Sets whether to attempt to authenticate preemptively against proxy servers by using basic authentication |
Proxy Domain | Yes | Sets the optional Windows domain name for configuring an NTLM proxy |
Proxy Workstation | Yes | Sets the optional Windows workstation name for configuring NTLM proxy support |
Proxy Host | Yes | Sets the proxy host the client connects through |
Proxy Port | Yes | Sets the proxy port the client connects through |
Proxy Username | Yes | Sets the proxy user name to use |
Proxy Password | Yes | Sets the proxy password to use |