Active Directory setup - AWS Toolkit for .NET Refactoring

Active Directory setup

The application that you use for the test deployment can use Microsoft Active Directory authentication against its dependencies, such as a Microsoft SQL Server database that is joined into an Active Directory domain.

Note that this allows authentication of the application in the test deployment. It does not provide single sign-on for the incoming on-premises user connections with Windows Authentication tokens in HTTP headers.

For more information, see Join an Amazon EC2 instance to your AWS Managed Microsoft AD directory in the AWS Directory Service Administration Guide.

Create a directory

Create a directory in the AWS Directory Service using the same VPC that you will use for test deployment. If you use Active Directory, you must use the Select an Amazon VPC option when you create the test deployment. For more information, see Create your AWS Managed Microsoft AD in the AWS Directory Service Administration Guide.

Verify that the directory meets the following requirements:

  • The inbound rules of the security group used by your directory must allow incoming connections from the same VPC. For more information, see Understand your directory’s AWS security group configuration in the AWS Directory Service Administration Guide.

  • The VPC must have a DHCP options set that lists both of the IP addresses of the directory as DNS servers. For more information, see Create a DHCP options set in the AWS Directory Service Administration Guide.

Create a user

Create a user in the directory. Remember the sign-in credentials.

Create a secret

Create a secret to pass the username and password to your application. Create the secret with the user credentials in the AWS Secrets Manager before you run the test deployment on AWS. The user credentials must contain the following fields:

  • Username – Note that the domain in the Username value must be uppercase: <user>@<AD_DOMAIN>

  • Password

You can also use the AWS Secrets Manager in the AWS Management Console to create the secret. Create a secret and add values in the following way:

Key: Username, value: <user>@<AD_DOMAIN>, Key: Password, value: <password>

You can use the JSON format option in the secret as:

{ "Username": "<user@AD_DOMAIN>", "Password": "<password>" }

You can also use the AWS CLI to create the secret. For more information, see create-secret in the AWS CLI Command Reference.

If you use AWS CLI, use the --secret-string parameter as follows:

{"Username":"<user@AD_DOMAIN.COM>","Password":"<password>"}’

The single quotes that enclose the JSON value allow you to pass the double quotes unchanged.

Remember the ARN of the secret for later use.

Allow the task role to read the secret

In the AWS Secrets Manager in the AWS Management Console, open the secret that you created and select the Resource permissions tab in the information page of the secret.

Add the policy below to the secret. The policy contains the following variables:

  • task_role_ARN – the ARN of the Amazon ECS task role that you created with the CloudFormation template.

  • secret_ARN – The ARN of the secret that you just created.

The policy that you add to the secret:

{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "EcsTask", "Effect" : "Allow", "Principal" : { "AWS" : "<task_role_ARN>" }, "Action" : "secretsmanager:GetSecretValue", "Resource" : "<secret_ARN>" } ] }