|
<< Click to Display Table of Contents >> Raynet One Data Hub > 2026.2 > Connectors > Alphabetic Connector List > Amazon Elastic Compute Cloud (EC2) > Connector Parameters Authentication |
The AWS EC2 connector supports two authentication methods. Use the Authentication Method parameter to select the appropriate method for your environment. Only the parameters relevant to the selected method are required.
This parameter specifies the method used to authenticate with AWS.
Technical Name |
AuthenticationMethod |
Category |
Authentication |
Type |
Select |
Default Value |
Access Key & Secret Key |
Example Values |
Access Key & Secret Key Web Identity Federation (OIDC) |
Select Access Key & Secret Key to use static AWS credentials for authentication. Select Web Identity Federation (OIDC) to authenticate using temporary security tokens obtained from an external identity provider via the OpenID Connect (OIDC) protocol.
The following parameters are required when Access Key & Secret Key is selected as the authentication method.
This parameter contains the Access Key that is used for the connection to the Session Token Service (STS).
Technical Name |
access_key_id |
Category |
Authentication |
Type |
String |
Default Value |
n/a |
Example Values |
|
How to get the credentials is described in the official documentation. It is recommended to generate credentials tailored to this connector via the IAM Console. The connector uses this credentials to do the first authentication to AWS. It then gets (and automatically renews) the session credentials for the time of the execution.
This parameter defines the accounts in the OU from which the data will be fetched.
Technical Name |
sub_account_assume_role_arn_chain |
Category |
Authentication |
Type |
String null |
Default Value |
null |
Example Values |
null arn:aws:iam::{accountId}:role/ROLE_NAME |
When managing a large number of accounts one can aggregate them in an Organizational Unit (OU). Instead of running the connector for every single account, the connector can fetch the list of accounts from the OU and aggregate the data automatically. When setting this parameter, the last role in the Assume Role Chain must have enough privileges for the ListAccount request. The initial credentials (Access Key ID, Secret Access Key, and Session Token) are reused for the first authentication, but for the cross-account access to the sub-accounts this chain is used instead. Use the placeholder {accountId} in the chain which is replaced by the sub-account IDs at run-time. Leave the chain empty of null to fetch data only from the master account.
This parameter contains the Session Token for the connection to the Session Token Service (STS).
Technical Name |
session_token |
Category |
Authentication |
Type |
String null |
Default Value |
null |
Example Values |
null |
How to get the credentials is described in the official documentation. It is recommended to generate credentials tailored to this connector via the IAM Console. The connector uses this credentials to do the first authentication to AWS. It then gets (and automatically renews) the session credentials for the time of the execution.
Use the Session Token Service (STS) to assume the given roles one after another.
Technical Name |
master_assume_role_arn_chain |
Category |
Authentication |
Type |
String |
Default Value |
|
Example Values |
arn:aws:iam::123456789012:role/ROLE_NAME |
The initial credentials might not have the required permissions for the job. One can perform a privilege escalation with the Assume Role request via STS. For more information on the AWS authentication process read the official documentation. Using a list of roles will chain the assumptions together. The connector gets session credentials for the first role with the initial credentials. Then, with the session credentials it assumes the second role and so on. The last session credentials are used for the actual API accesss. When aggregating data of an Organizational Unit, this chain is used only for the master account of the OU.
This parameter can be used in order to provide an external ID for cross-account access with the Session Token Service (STS).
Technical Name |
assume_external_id |
Category |
Authentication |
Type |
String null |
Default Value |
null |
Example Values |
null, 987654321098 |
The External ID is used with ever role assumption of the Assume Role ARN Chain. Read about the AWS authentication mechanism in the official documentation.
This parameter contains the list of AWS-accounts from which data will be fetched.
Technical Name |
accounts |
Category |
Functional |
Type |
Array |
Default Value |
{empty} |
Example Values |
"123456789876", "987654321234" |
If this parameter is set, SubAccountAssumeRoleArnChain must also be set and masterAccountAssumeRoleArnChain must be omitted. Omit this parameter, if masterAccountAssumeRoleArnChain should be used instead.
The following parameters are required when Web Identity Federation (OIDC) is selected as the authentication method. This method uses the OIDC protocol to obtain temporary AWS security credentials from an external identity provider, eliminating the need for long-lived static AWS access keys.
This parameter contains the OIDC client ID registered with the identity provider.
Technical Name |
ClientId |
Category |
Authentication |
Type |
String |
Default Value |
null |
Example Values |
|
The client ID is defined when registering an application with the identity provider. It uniquely identifies the connector application and is required to request an OIDC token.
This parameter contains the OIDC client secret associated with the client ID registered with the identity provider.
Technical Name |
ClientSecret |
Category |
Authentication |
Type |
String (sensitive) |
Default Value |
null |
Example Values |
|
The client secret is a confidential credential that authenticates the connector with the identity provider. This value is stored encrypted. Obtain the client secret from the identity provider application registration.
This parameter contains the Amazon Resource Name (ARN) of the AWS IAM role that the connector will assume using the web identity token obtained from the identity provider.
Technical Name |
RoleArn |
Category |
Authentication |
Type |
String |
Default Value |
null |
Example Values |
arn:aws:iam::123456789012:role/ROLE_NAME |
The IAM role must be configured to trust the identity provider and must have the necessary permissions to access the EC2 API. The connector uses the AssumeRoleWithWebIdentity API to exchange the OIDC token for temporary AWS credentials scoped to this role.
This parameter defines the duration, in seconds, for which the assumed role session remains valid.
Technical Name |
SessionDuration |
Category |
Authentication |
Type |
Integer |
Default Value |
3600 |
Example Values |
900, 3600, 43200 |
The minimum allowed value is 900 seconds (15 minutes) and the maximum is 43200 seconds (12 hours). The default value of 3600 seconds (1 hour) is suitable for most collection tasks. Set a longer duration for large environments where data collection may exceed one hour. The IAM role's maximum session duration setting must not be less than the configured value.
This parameter contains the OIDC token endpoint URL of the identity provider from which the connector retrieves the web identity token.
Technical Name |
IdpUrl |
Category |
Authentication |
Type |
String |
Default Value |
null |
Example Values |
https://idp.example.com/oauth2/token |
The token endpoint URL is specific to the identity provider configuration. The connector sends a client credentials request to this endpoint to obtain an OIDC access token, which is then exchanged for temporary AWS credentials via the AWS Security Token Service (STS). The URL is typically found in the identity provider's application or API settings.