Informatica implements fine-grained authentication and authorization mechanisms to deploy and manage an elastic runtime environment in your VPC, access data sources that you use in tasks, and store output logs.
An elastic runtime environment is isolated at the workload level to increase reliability. A user configures the environment through their organization. Then, the master node auto-scales and manages AWS resources. Images, artifacts, and configurations are stored separately in the Informatica Intelligent Cloud Services control plane.
Interaction with the elastic runtime environment involves distinct authentication and authorization methods for users and the master node.
Authentication
To configure an elastic runtime environment, a user authenticates to their organization by logging in through a mechanism such as a password or SSO. The master node uses an IAM instance profile to manage AWS resources.
Authorization
An elastic runtime environment uses Informatica Intelligent Cloud Services and IAM roles to authorize users and instances to access and manage Informatica Intelligent Cloud Services and AWS resources:
User-based authorization
Users have authorization to access and manage Informatica Intelligent Cloud Services and an elastic runtime environment through their Informatica Intelligent Cloud Services role. The role grants a user privileges to create, modify, and deploy the elastic runtime environment and to access the Secure Agent. Roles also isolate the elastic runtime environment for department-level access so that each department is authorized to administer their own elastic runtime environment.
Instance-based authorization
The master node has authorization to access and manage worker nodes in the environment and AWS resources in your VPC. A master node is granted authorization through an IAM role, which is associated with one or more IAM policies and an instance profile. Policies provide granular access to the AWS resources that an elastic runtime environment uses, such as file shares and virtual machines. For example, the master node is authorized to create EC2 instances and change auto-scaling settings.
The following image shows how Informatica uses roles to manage authorization to access and manage Informatica Intelligent Cloud Services and AWS resources:
1Informatica Intelligent Cloud Services roles grant access to configure the elastic runtime environment in your organization.
2IAM roles grant access to data stores, file shares, and worker nodes in the elastic runtime environment.
3Informatica Intelligent Cloud Services roles grant access to resources in the Informatica Intelligent Cloud Services control plane, including Informatica’s image repository, artifactory, and runtime configuration store.
Downloading images
Download images from Informatica's image repository so that you can scan them for vulnerabilities according to compliance needs.
To download images, you need the Manage Elastic Runtime Environment Repository Token privilege in your organization. To run Docker commands, install Docker on the machine. For more information about feature privileges, see User Administration in the Administrator help.
Informatica allows you to access its image repository so that you can download the images that an elastic runtime environment uses. You can scan the images to ensure that they meet your enterprise-level security and compliance needs. Informatica notifies you when a new image is available so that you can scan the image before the deployment window for the next Informatica Intelligent Cloud Services release.
1Use the platform REST API version 3 containerimagetoken resource to get a token for the image repository.
