Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

AWS_NonAWSClouddeployment_mainAccount_Template (AWS) Connection not masking credentials

Alex_Terry
Regular Contributor
Regular Contributor

Hello, We're using the connection type 'AWS_NonAWSClouddeployment_mainAccount_Template (AWS)' to onboard our AWS instance to Saviynt but notice that the following fields don't mask the values that we populate:

  • AWS_ACCESS_KEY
  • AWS_ACCESS_SECRET_PASSWORD

How can we mask these values? 

21 REPLIES 21

rushikeshvartak
All-Star
All-Star

Add attribute under Connection Type list --> AWS -->Encrypted Connection Attributes

rushikeshvartak_0-1716267784893.png

You need to use enhanced query

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi @rushikeshvartak 

We see this field under the connection type however we can't edit the values that are there. Additionally one of the values that we expect to be encrypted isn't in the connection. 

Use enhanced query to update values or raise support ticket for same.

select EXTERNALCONNECTIONTYPEKEY externalconnectiontype__EXTERNALCONNECTIONTYPEKEY ,concat(ENCRYPTEDATTRIBUTES,',AWS_ACCESS_KEY,AWS_ACCESS_SECRET_PASSWORD') as externalconnectiontype__ENCRYPTEDATTRIBUTES
from externalconnectiontype where EXTERNALCONNECTIONTYPEKEY=13

 

 

 

rushikeshvartak_0-1716434967693.png

rushikeshvartak_1-1716435000148.png

 

This is workaround with upgrade this may get removed. hence please raise defect to mask this field by default by product

 

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Alex_Terry
Regular Contributor
Regular Contributor

@rushikeshvartak are you able to provide an update on this as it's a blocker to onboarding AWS?

Hi @Alex_Terry 

Could you please share the screenshot from this path if the above mentioned attributes are there.

Connection Type list --> AWS -->Encrypted Connection Attributes

If the attributes are not there, then please add those attributes using enhanced query as mentioned by @rushikeshvartak 

Let me know if still it doesn't work as expected.

Regards,

Dhruv Sharma

Alex_Terry
Regular Contributor
Regular Contributor

Hi @Dhruv_S @rushikeshvartak

I've attempted to use the Enhanced Query Execution job with the above posted query but get an error saying "Restricted Column. Cannot insert/update data in column E". Do you know of a way to overcome this error?

Additionally, one of the attributes is already populated (AWS_ACCESS_SECRET_PASSWORD) however still isn't being masked which suggests that the masking isn't working, at least with this template. 

select EXTERNALCONNECTIONTYPEKEY externalconnectiontype__primarykey ,concat(ENCRYPTEDATTRIBUTES,',AWS_ACCESS_KEY,AWS_ACCESS_SECRET_PASSWORD') as externalconnectiontype__ENCRYPTEDATTRIBUTES
from externalconnectiontype where EXTERNALCONNECTIONTYPEKEY=13


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

ARCrosthwaite
New Contributor
New Contributor

Hi @rushikeshvartak 

I've working on some of Alex's issues while on leave, we've tried implimenting the query you suggested but it appears that "AWS_ACCESS_KEY" & "AWS_ACCESS_SECRET_PASSWORD" are not in the comma seporated list of attributes on the AWS connection type.

Is there a fix you can suggest so that these attributes are properly added.

Regs

Andrew C

Can you share screenshot


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Or use below query 

select EXTERNALCONNECTIONTYPEKEY externalconnectiontype__primarykey,'AWS_ACCESS_SECRET_PASSWORD,DEFAULT_NEW_ACCOUNT_PASSWORD,AWS_ACCESS_KEY,AWS_ACCESS_SECRET_PASSWORD' as externalconnectiontype__ENCRYPTEDATTRIBUTES
from externalconnectiontype where EXTERNALCONNECTIONTYPEKEY=13


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

ARCrosthwaite
New Contributor
New Contributor

Hi @rushikeshvartak 

Below is complete list of all values in Connection Attributes as Comma Separated I've included this as the screen shot doesn't show the complete list.

AWS_ACCOUNT_ID,ADMIN_EMAIL,CREATEUSERS,PREVENTATIVECONTROL_TURNED_ON,CROSS_ACCOUNT_ROLE_ARN,federatedADJSON,AWS_STACK_ROLE_NAME,CL_QUEUE_URL,CW_QUEUE_UL,VPC_KIBANA_URL,CT_KIBANA_URL,PROCESS_PRIVILEGES_TYPES,DEFAULT_NEW_ACCOUNT_PASSWORD,S3CFTEMPLATES_PATH,PULL_GOV_REGION_ONLY,PC_QUEUE_UL,WorkspaceConfigJSON,EXTERNAL_ID,PAM_CONFIG,DEFAULT_REGION,CUSTOM_CONFIG_JSON,GENERATE_KEY_JSON

 

d037e0fe-6245-4ca9-9dca-930e87372aa4.jpg

Regs

Andrew C

Its wrong . Its 6th attribute encrypeted connection attribute 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

ARCrosthwaite
New Contributor
New Contributor

Hi @rushikeshvartak I'm not sure what you mean by it's wrong...

We have shared the screenshot for the out of the box AWS connection type and the comma separated connection attributes for the same out of the box connection type.

It looks like out of the box connection type does not have these two attributes we have confirmed this with someone from the Saviynt support team and they have confirmed that these attributes are present in their own local environment.  Is it possible to use a query to add these attributes to our own environment and if so what would this be. 

If we run the query would it add these values or do we need a Saviynt support ticket for this.

RUn below query from enhanced query job 

select EXTERNALCONNECTIONTYPEKEY externalconnectiontype__primarykey,'AWS_ACCESS_SECRET_PASSWORD,DEFAULT_NEW_ACCOUNT_PASSWORD,AWS_ACCESS_KEY,AWS_ACCESS_SECRET_PASSWORD' as externalconnectiontype__ENCRYPTEDATTRIBUTES
from externalconnectiontype where EXTERNALCONNECTIONTYPEKEY=13

rushikeshvartak_0-1717075690232.png

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

ARCrosthwaite
New Contributor
New Contributor

@rushikeshvartak we have already run the above query and as per the screenshot I posted these values appear under Encrypted Connection Attributes.  The issue we are seeing is that these attributes are also not in the Connection Attributes as Comma Separated list.

Capture.PNG

Regs

Andrew C

Does it still show unencrypted ? you need to enter again and save connection


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

ARCrosthwaite
New Contributor
New Contributor

@rushikeshvartak We have already save and tested connection but still its visible as these 2 parameters are not available in Connection Attributes as Comma Separated.

Regs

Andrew C

Try adding under global configuration - features  -Sensitive Data Variables To Be Masked

rushikeshvartak_1-1717082922091.png

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

ARCrosthwaite
New Contributor
New Contributor

@rushikeshvartak To reiterate we currently have the attributes showing in the Encrypted Connection Attributes list on the connection type page.  The issue we appear to be having is that these attributes are not in the Connection Attributes as Comma Separated list.  We've verified this with Saviynt support and confirmed that these attributes should be in the Connection Attributes as Comma Separated list, but in our tenant they are not present.

You're earlier suggestion of the query to add them to the  Encrypted Connection Attributes worked but the wider issue now appears to be that they are not in the list of attributes on the connection type.  It is this we are now seeking a solution too.

This needs to be fixed from product level. Please raise idea ticket


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

ARCrosthwaite
New Contributor
New Contributor

@rushikeshvartak 

We've also updated this value in Global config to what you suggested but it's not changed what we're seeing in the connection even after updating and saving the config the values in the AWS_ACCESS_KEY & AWS_ACCESS_SECRET_PASSWORD attributes are not hidden.

ARCrosthwaite_0-1717150898500.png