AWS Hosting connection can be made in two ways.
- By Creating an IAM User with the permissions mentioned in Citrix Article*
- By assigning a policy to Cloud connectors and make cloud connectors as the authentication bridge between Citrix Cloud and AWS environment.
1.By Creating an IAM User with Permissions
Create AWS Policy and attach to user
The Citrix Article CTX298292 mentioned about the minimum IAM permissions required to create a hosting connection. Unfortunately, this is not a comprehensive list. The MCS creation will fail if your images are encrypted as the article is not talking about the permissions required to encrypt, re-encrypt and decrypt the AMS KMS keys. Please add the below permissions as well to the list inorder to complete your IAM permission.
"kms:Decrypt", "kms:Encrypt", "kms:RevokeGrant", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey", "kms:CreateGrant", "kms:ListGrants"
Navigate to IAM–> Policies.
Click on “create policy” to create a new policy
In the create new policy page, click on JSON and copy the permissions mentioned in the Citrix Article+ the KMS ones provided in the article.
Once done, click on Next to add AWS Tags for your Policy. Click next to review and create the AWS policy.
Once the policy is created, click on the policy and go to policy usage, click on Attach to attach the user(service account) created for the Citrix hosting connection creation.
Create Hosting connection in Citrix
The next step is to create the hosting connection using the newly created service account. Navigate to Citrix Cloud–> Virtual apps and desktops–>Manage. Click on Hosting and click on “Add connection and resources”.
The new hosting connection wizard will appear, select the connection type as Amazon EC2. Give the API key and secret obtained while creating the AWS user account. Select the zone and click on Next, follow the wizard to add networks and VM location.
2. Using Cloud Connector Roles
Citrix has enabled role-based authentication when creating a host connection for MCS provisioning in AWS. An IAM role associated with a Cloud Connector on an EC2 instance can now be used in the place of a user’s secret key and API key, enabling increased security, delegated administrative rights, and PKI-based environments with temporary credentials and session tokens.
Create a new Role in AWS
Navigate to IAM–>Roles. Click on Create Role.
Select type of trusted entity as “AWS Service” –> EC2.
Click on next and select the permissions you created.
Refer “Create AWS Policy and attach to user” ,click Next.
Click on review and complete.
Assign the role to Cloud Connector servers
Navigate to EC2, Click on “Cloud connector” server. Click on actions–> instance settings –> “Attach/replace IAM Role”.
Create Hosting Connection in Citrix
Navigate to Citrix Cloud–> Virtual apps and desktops–>Manage. Click on Hosting and click on “Add connection and resources”. The new hosting connection wizard will appear, select the connection type as Amazon EC2. Provide “role_based_auth” for both the API Key and Secret Key fields.
Follow the wizard to provide the VM location and network.
Hope this blog is useful to you all. Will come back with a new blog soon.