Did you know you can improve your security posture by using IAM roles in AWS, removing the need for root-account use on your Delivery Controller?

Introducing role-based authentication!

Now you can set up a host connection using an IAM role in AWS for a seamless power and image management experience.

With the release of Citrix Virtual Apps and Desktops 7 1811, we now have the option for role-based authentication when creating a host connection for MCS provisioning in AWS. An IAM role associated with a Delivery Controller or Cloud Connector on an EC2 instance can now be used in the place of a user’s secret key and API key, enabling increased security, delegated administrative rights, and PKI-based environments with temporary credentials and session tokens.

How Does It Work?

IAM roles don’t have permanent credentials like IAM users. Instead, they have dynamic credentials that are stored in the metadata of an instance. The application software (e.g. CVAD Delivery Controller) installed on the EC2 instance uses the permissions provided by the IAM role by searching the credentials provider chain for viable credentials.

For the .NET SDK, the app.config file is the first location in the chain. If explicit credentials are not found here (which they should not be, per security best practice), the AWS service client object will retrieve temporary credentials that have the same permissions as those associated with the IAM role, from the metadata of the instance.

These temporary credentials will expire every hour. But instead of having to script an API call each hour to retrieve new credentials, the SDK seamlessly refreshes the credentials so you get enhanced security without affecting app performance or user experience.

Role-based authentication can be used for many different use-cases, including government/secure environments, PKI-based environments, environments behind a bastion host, and for new or non-traditional AWS endpoint regions.

Configuring a Host Connection

Configuring a host connection on a Delivery Controller or Cloud Connector using role-based authentication is easy.

To configure a host connection using role-based authentication, first create an IAM role with the permissions described in CTX140429. Associate this role with an EC2 instance with CVAD 7 1811+ installed. When creating the host connection in the Studio GUI, choose “Amazon EC2” for the Connection Type, and enter “role_based_auth” for both the API Key and Secret Key fields, as shown below.

If creating the host connection via PoSh, ensure that both the Username and SecurePassword fields are “role_based_auth”, as in the example below.

New-Item -ConnectionType "AWS" -CustomProperties "" -HypervisorAddress @("https://ec2.amazonaws.com") -Path @("XDHyp:\Connections\test1") -Scope @() -UserName "role_based_auth" -SecurePassword $password -ZoneUid $zoneId -Metadata @{"Citrix_MachineManagement_Options" = $options} -Persist

After creating the host connection, create a machine catalog as described here using an AMI created from the master VDA image in AWS.

Once you do that, you’re all set. Your host connection won’t need to be updated again!

IAM authentication to your AWS environment using temporary credentials foregoes the need for admins to have root AWS access and gives your Delivery Controller just the right amount of permissions to the underlying host. It also enhances the security posture of your environment by periodically updating credentials that are stored in the metadata of an instance.

Using IAM auth in concert with role-based auth will ensure that your host connection is secure and that the re-authentication is seamless!

For more information on host connection creation and considerations, see our CVAD connections and resources page.


Citrix Tech Bytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.

Click here for more Tech Bytes and subscribe.

Want specific Tech Bytes? Let us know! tech-content-feedback@citrix.com.