Skip to content

Targets Overview

In Enterprise Service Hub (ESH), "Targets" serve as the destinations where infrastructure is deployed. As of today, ESH supports four primary target types: AWS Accounts, GCP Projects, Azure Subscriptions, and Github instances. Each target type is secured with specific credentials. Let's delve into the credential options for each Target Type:

Credentials

Credentials play a pivotal role in ESH as they enable the ESH engine to securely access the designated target destinations.

Target and Credential Types

  • AWS

    ESH offers multiple methods for authenticating against AWS accounts:

    • Custom Role: For organizations with stricter security requirements, ESH allows you to pass a custom role. This empowers you to support roles tailored specifically to the types of Templates being deployed. The ESH executor needs to be able to assume the role. Each ESH Organization has its own executor role so you can be assured, it is not possible for another ESH organization to assume your custom role. To obtain the ARN for your executor role for addition to your custom roles trust policy, start to create an AWS target and select Custom Role credentials type and the UI will display your executor role ARN.

    AWS Cuatom Role

    • Default IAM Role: ESH can share a Service Catalog product with an AWS account in your organization, enabling the creation of a default role in any of your AWS accounts. This role possesses administrator privileges and can create any resource defined in a Template.

    AWS Default Role

    • IAM User Credentials (not recommended other than for quick tests): Users can enter their access key and secret for an IAM user with access to the AWS account.

    AWS IAM Credentials

  • Azure

    ESH authenticates to Azure Subscriptions using a service principle. You simply enter the tenant ID, client ID and client secret.

    Azure

  • GCP

    Authentication to GCP Projects in ESH is also achieved through service account and a GCP credentials file that you load into the target.

    GCP

  • Github

    ESH leverages Personal Access Tokens for authentication with Github. Simply create a token and enter the details when configuring the Github Target.

    Target Github

  • vSphere

    With the vSphere Target type you can manage on-prem via VMWare.

    Target vSphere

  • Kubernetes

    ESH supports AWS EKS, GCP GKE, Azure AKS and other Kubernetes providers. By default ESH creates a Kubernetes Terraform provider and a Helm provider that your ESH Templates can take advantage of. This means you can deploy Helm charts to your clusters and also manage them using Kubernetes providers.

    Authentication depends on the cluster type.

    EKS

    Kubernetes EKS

    GCP GKE

    Kubernetes GCP GKE

    Azure AKS and Others

    Kubernetes Azure AKS

Advanced Credentials

ESH offers advanced capabilities that allow the specification of the same Target destination (e.g., an AWS account or GCP Project) in multiple Targets. Having multiple Targets pointing to the same destination but with different credentials, combined with ESH RBAC assignments allows fine-grained control over which Templates are deployed using specific credentials. While this level of control may come with administrative overhead, it is available for organizations with the most stringent security needs.

Target Groups

To streamline management, Targets are organized into Resource Groups. This allows sets of Targets to be treated as a single entity within the Roles-Based Access Control (RBAC) system. Resource Groups simplify the management of multiple Target variations and define which user groups have access to them.

By offering diverse credential options and efficient organization through Target Groups, ESH empowers users to securely deploy infrastructure from Certified Templates, enhancing operational efficiency and user experience.