Did you know you can improve your security posture by using IAM roles in AWS, removing the need for root-account use on your Delivery Controller?

Introducing role-based authentication!

Now you can set up a host connection using an IAM role in AWS for a seamless power and image management experience.

With the release of Citrix Virtual Apps and Desktops 7 1811, we now have the option for role-based authentication when creating a host connection for MCS provisioning in AWS. An IAM role associated with a Delivery Controller or Cloud Connector on an EC2 instance can now be used in the place of a user’s secret key and API key, enabling increased security, delegated administrative rights, and PKI-based environments with temporary credentials and session tokens.

How Does It Work?

IAM roles don’t have permanent credentials like IAM users. Instead, they have dynamic credentials that are stored in the metadata of an instance. The application software (e.g. CVAD Delivery Controller) installed on the EC2 instance uses the permissions provided by the IAM role by searching the credentials provider chain for viable credentials.

For the .NET SDK, the app.config file is the first location in the chain. If explicit credentials are not found here (which they should not be, per security best practice), the AWS service client object will retrieve temporary credentials that have the same permissions as those associated with the IAM role, from the metadata of the instance.

These temporary credentials will expire every hour. But instead of having to script an API call each hour to retrieve new credentials, the SDK seamlessly refreshes the credentials so you get enhanced security without affecting app performance or user experience.

Role-based authentication can be used for many different use-cases, including government/secure environments, PKI-based environments, environments behind a bastion host, and for new or non-traditional AWS endpoint regions.

Configuring a Host Connection

Configuring a host connection on a Delivery Controller or Cloud Connector using role-based authentication is easy.

To configure a host connection using role-based authentication, first create an IAM role with the permissions described in CTX140429. **Note: For CVAD 2003, the IAM permission “ec2:describetags” is needed in addition to the list in the KC article. Associate this role with an EC2 instance with CVAD 7 1811+ installed or a Cloud Connector.

When creating the host connection in the Studio GUI, choose “Amazon EC2” for the Connection Type, and enter “role_based_auth” for both the API Key and Secret Key fields, as shown below.

If creating the host connection via PoSh, ensure that both the Username and SecurePassword fields are “role_based_auth”, as in the example below.

New-Item -ConnectionType "AWS" -CustomProperties "" -HypervisorAddress @("https://ec2.amazonaws.com") -Path @("XDHyp:\Connections\test1") -Scope @() -UserName "role_based_auth" -SecurePassword $password -ZoneUid $zoneId -Metadata @{"Citrix_MachineManagement_Options" = $options} -Persist

After creating the host connection, create a machine catalog as described here using an AMI created from the master VDA image in AWS.

Once you do that, you’re all set. Your host connection won’t need to be updated again!

IAM authentication to your AWS environment using temporary credentials foregoes the need for admins to have root AWS access and gives your Delivery Controller just the right amount of permissions to the underlying host. It also enhances the security posture of your environment by periodically updating credentials that are stored in the metadata of an instance.

Using IAM auth in concert with role-based auth will ensure that your host connection is secure and that the re-authentication is seamless!

For more information on host connection creation and considerations, see our CVAD connections and resources page.

Citrix Tech Bytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.

Click here for more Tech Bytes and subscribe.

Want specific Tech Bytes? Let us know! tech-content-feedback@citrix.com.

Topics

Products

You might be interested in

Introducing the new StoreFront UI!

Stay Informed.
Subscribe Today.

Enhanced Security for Linux Thin Clients with Citrix Enterprise Browser and ZTNA

Citrix platform offers robust protection against APTs

Introducing the new StoreFront UI!

Enhanced Security for Linux Thin Clients with Citrix Enterprise Browser and ZTNA

Citrix platform offers robust protection against APTs

Feature matrix comparison among Linux VDA LTSR releases

What’s new with HDX in the 2402 LTSR

Now Available: Citrix Virtual Apps and Desktops 2402 Long Term Service Release

Unlocking New Possibilities with Intel GPUs in Citrix Environments

Citrix Autoscale: Unlock better user experiences, maximize resource utilization, and achieve better cost management

Reduce MTTR with latest features from Citrix Director

Cybersecurity for financial services

Introducing the new StoreFront UI!

New Era of Enterprise Productivity with Notate for Citrix Customers

Enhanced Security for Linux Thin Clients with Citrix Enterprise Browser and ZTNA

Citrix platform offers robust protection against APTs

uberAgent 7.2: Optimize Data, Elevate Security!

Now’s the time to migrate from VMware Horizon to Citrix: Here’s why

Citrix Connect Kicks Off in New York City!

Announcing the Incoming 2024 Citrix Technology Professional (CTP) Class

What’s new with Citrix: Join our April webinar for licensing and LTSR updates

Connect your Mac desktops with HDX & DaaS! Citrix VDA for macOS is Public Tech Preview!

Topics

Products

Role-based authentication for Citrix Virtual Apps and Desktops in AWS

Did you know you can improve your security posture by using IAM roles in AWS, removing the need for root-account use on your Delivery Controller?

Share

Tagged under:

You might be interested in

Stay Informed. Subscribe Today.

Stay Informed.
Subscribe Today.