Written by amalcloud

AWS Hosting Connection on Citrix Cloud

AWS Hosting connection can be made in two ways.

  1. By Creating an IAM User with the permissions mentioned in Citrix Article*
  2. By assigning a policy to Cloud connectors and make cloud connectors as the authentication bridge between Citrix Cloud and AWS environment.
1.By Creating an IAM User with Permissions
Create AWS Policy and attach to user

The Citrix Article CTX298292 mentioned about the minimum IAM permissions required to create a hosting connection. Unfortunately, this is not a comprehensive list. The MCS creation will fail if your images are encrypted as the article is not talking about the permissions required to encrypt, re-encrypt and decrypt the AMS KMS keys. Please add the below permissions as well to the list inorder to complete your IAM permission.

                "kms:Decrypt",
                "kms:Encrypt",
                "kms:RevokeGrant",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext",
                "kms:DescribeKey",
                "kms:CreateGrant",
                "kms:ListGrants"

Navigate to IAM–> Policies.

Click on “create policy” to create a new policy

In the create new policy page, click on JSON and copy the permissions mentioned in the Citrix Article+ the KMS ones provided in the article.

Once done, click on Next to add AWS Tags for your Policy. Click next to review and create the AWS policy.

Once the policy is created, click on the policy and go to policy usage, click on Attach to attach the user(service account) created for the Citrix hosting connection creation.

Create Hosting connection in Citrix

The next step is to create the hosting connection using the newly created service account. Navigate to Citrix Cloud–> Virtual apps and desktops–>Manage. Click on Hosting and click on “Add connection and resources”.

The new hosting connection wizard will appear, select the connection type as Amazon EC2. Give the API key and secret obtained while creating the AWS user account. Select the zone and click on Next, follow the wizard to add networks and VM location.

2. Using Cloud Connector Roles

Citrix has enabled role-based authentication when creating a host connection for MCS provisioning in AWS. An IAM role associated with a Cloud Connector on an EC2 instance can now be used in the place of a user’s secret key and API key, enabling increased security, delegated administrative rights, and PKI-based environments with temporary credentials and session tokens.

Create a new Role in AWS

Navigate to IAM–>Roles. Click on Create Role.

Select type of trusted entity as “AWS Service” –> EC2.

Click on next and select the permissions you created.

Refer “Create AWS Policy and attach to user” ,click Next.

Click on review and complete.

Assign the role to Cloud Connector servers

Navigate to EC2, Click on “Cloud connector” server. Click on actions–> instance settings –> “Attach/replace IAM Role”.

Create Hosting Connection in Citrix

Navigate to Citrix Cloud–> Virtual apps and desktops–>Manage. Click on Hosting and click on “Add connection and resources”. The new hosting connection wizard will appear, select the connection type as Amazon EC2. Provide “role_based_auth” for both the API Key and Secret Key fields.

Follow the wizard to provide the VM location and network.

Hope this blog is useful to you all. Will come back with a new blog soon.

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s