Adding Synopsys Credentials to AWS Parameter Store

To communicate with either Coverity on Polaris or Black Duck, Synopsys Detect must first authenticate.
To ensure that Synopsys Detect can authenticate, you must provide the appropriate URLs and access tokens.
While these values can be passed directly into Synopsys Detect at invocation time; this method is not recommended because the values are not encrypted, and therefore could be accessed improperly.
The more secure approach is to leverage the AWS Parameter Store to protect sensitive values and make them available to AWS CodeBuild and CodePipeline workers. 

The following parameters are required:

  • URL to your instance of Polaris/Black Duck
  • The API Token to authenticate with Polaris/Black Duck

Although, user names and passwords can be used to authenticate to Black Duck, API authentication tokens are recommended for the following reasons:

  • Tokens are more ephemeral than user accounts.
  • Tokens provide more fine-grained access.
  • Tokens cannot be used to access the Black Duck user interface.

Contact Synopsys Support for more information about the benefits of API Authentication Tokens over username/password authentication.

The following steps describe adding authentication parameters:

Add URL and tokens to the AWS Parameter Store

  1. Based on the product that you want to use, create the Access Token:
    1. Polaris:
      1. Log in to your instance of Polaris. 
      2.  Select your user name on the top left, then click Access Tokens > Create New Token.
    2. Black Duck
      1. Log in to your instance of Black Duck.
      2. Select your user name on the top right, then click Profile > User Access Token.
  2. Login to https://console.aws.amazon.com.
  3. Navigate to Services > Compute > EC2 > Systems Manager Shared Resources > Parameter Store > Create Parameter.
  4. Based on the product you connect to, create the following parameters:
    Polaris:
    •  Detect-Polaris-URL - Type: string
    •  Detect-Polaris-Token - Type: SecureStringBlack Duck:
  5. If you are scanning Docker Images in External Registries using Black Duck, then create these parameters:
    • Detect-Registry-URL - Type: string
    • Detect-Registry-Username - Type: string
    • Detect-Registry-Password - Type: SecureString. Select the default KMS Key ID


Create a Policy in IAM to access the parameters

If you are using a CodeBuild worker to call Synopsys Detect, then you must create a policy in IAM to allow access to the parameters that you added in the previous step.

  1. Login to https://console.aws.amazon.com.
  2. Navigate to Services > Security, Identity & Compliances > IAM > Policies > Create Policy
  3. Under Create Policy, use your preferred method for creating a Policy:
    • Visual Editor:
      • Service - Systems Manager
      • Actions - ReadGetParameters
      • Resources - Add ARN for the Parameters, see the JSON instructions below for example.
      • Request Conditions:
    • JSON: Copy the example below, and configure your Region and Account ID.

      IAM Policy JSON
      {    
          "Version": "2012-10-17",    
          "Statement": [        
              {            
                  "Effect": "Allow",            
                  "Action": "ssm:GetParameters",            
                  "Resource": [                
                      "arn:aws:ssm:<region>:<account_id>:parameter/Detect-*"            
                  ]        
              }    
         ]
      }
  4. Click Review Policy, then give a Name and Description to the Policy.
  5. Click Create Policy.









©2020 Synopsys, Inc. All Rights Reserved