Targets Overview
In Enterprise Service Hub (ESH), "Targets" serve as the destinations where infrastructure is deployed. As of today, ESH supports four primary target types: AWS Accounts, GCP Projects, Azure Subscriptions, and Github instances. Each target type is secured with specific credentials. Let's delve into the credential options for each Target Type:
Credentials
Credentials play a pivotal role in ESH as they enable the ESH engine to securely access the designated target destinations.
Target and Credential Types
-
AWS
ESH offers multiple methods for authenticating against AWS accounts:
- Custom Role: For organizations with stricter security requirements, ESH allows you to pass a custom role. This empowers you to support roles tailored specifically to the types of Templates being deployed. The ESH executor needs to be able to assume the role. Each ESH Organization has its own executor role so you can be assured, it is not possible for another ESH organization to assume your custom role. To obtain the ARN for your executor role for addition to your custom roles trust policy, start to create an AWS target and select Custom Role credentials type and the UI will display your executor role ARN.
- Default IAM Role: ESH can share a Service Catalog product with an AWS account in your organization, enabling the creation of a default role in any of your AWS accounts. This role possesses administrator privileges and can create any resource defined in a Template.
- IAM User Credentials (not recommended other than for quick tests): Users can enter their access key and secret for an IAM user with access to the AWS account.
-
Azure
ESH authenticates to Azure Subscriptions using a service principle. You simply enter the tenant ID, client ID and client secret.
-
GCP
Authentication to GCP Projects in ESH is also achieved through service account and a GCP credentials file that you load into the target.
-
Github
ESH leverages Personal Access Tokens for authentication with Github. Simply create a token and enter the details when configuring the Github Target.
-
vSphere
With the vSphere Target type you can manage on-prem via VMWare.
-
Kubernetes
ESH supports AWS EKS, GCP GKE, Azure AKS and other Kubernetes providers. By default ESH creates a Kubernetes Terraform provider and a Helm provider that your ESH Templates can take advantage of. This means you can deploy Helm charts to your clusters and also manage them using Kubernetes providers.
Authentication depends on the cluster type.
EKS
GCP GKE
Azure AKS and Others
Advanced Credentials
ESH offers advanced capabilities that allow the specification of the same Target destination (e.g., an AWS account or GCP Project) in multiple Targets. Having multiple Targets pointing to the same destination but with different credentials, combined with ESH RBAC assignments allows fine-grained control over which Templates are deployed using specific credentials. While this level of control may come with administrative overhead, it is available for organizations with the most stringent security needs.
Target Groups
To streamline management, Targets are organized into Resource Groups. This allows sets of Targets to be treated as a single entity within the Roles-Based Access Control (RBAC) system. Resource Groups simplify the management of multiple Target variations and define which user groups have access to them.
By offering diverse credential options and efficient organization through Target Groups, ESH empowers users to securely deploy infrastructure from Certified Templates, enhancing operational efficiency and user experience.