Auto Scaling of Access Manager Identity Servers in AWS

With the release of NetIQ Access Manager 4.4 SP1, Access Manager is officially supported on leading public clouds – AWS and Azure. Administrators can utilize the auto scaling services available in cloud to automatically scale out and scale in the Access Manager instances based on the load pattern.

This solution demonstrates the Auto scaling of Identity servers in AWS and uses a previously published cool tool to automate some of the Access Manager operations.

How it works.

Identity Servers are configured in auto-scaling group with either a scaling policy or scheduled scaling action. When the server reaches the threshold, the auto-scaling group spins up a new Identity server instance using the Identity Server AMI and the configured life cycle hook puts the instance in a Pending:Wait state along with a notification to a SNS topic. A lambda function which is registered for the SNS topic, will executed which will automatically configures the new instance by automatically importing it to the Admin Console and putting it in to the configured Identity Server cluster.

Similarly, when the identity servers comes out of the threshold, the configured life cycle hook puts the instance in Terminating:wait state along with sending a notification to the SNS topic. A lambda function which is registered for this SNS topic will execute and automatically removes the identity server from Admin Console and the instance is terminated.

To implement auto-scaling in AWS for Identity Servers, you need to configure the following AWS services:

  • AWS – IAM

  • AWS - VPC

  • AWS – S3 storage

  • AWS – Simple Notification Service (SNS)

  • AWS – Lambda

  • AWS – EC2

  • AWS – CloudWatch

The following diagram explains all the steps required to configure the auto-scaling for Identity server in AWS.

1. Create IAM user and required roles

For security reasons, it is recommended to create a separate AWS IAM user (for example namadmin)  who is responsible for creating and mainlining the AWS services for Access Manager deployments. To configure the Identity server auto scaling, the group the namadmin belongs should be provided with the following permissions. This can be configured by login to the AWS IAM console by a root user.













Additionally, certain AWS roles have to be configured for various AWS services.

Serial Number

AWS Service

Required Permission

Example Role Name



S3 Read Only Access




EC2 Full Access

S3 Read Only Access




AutoScaling Notification Access Role


The rest of the configurations must be done with login as namadmin in the AWS console.

2. Create Access Manager VPC and required subnets

As a security and scalability best practice, it is recommended to create a separate VPC and different subnets for Access Manager components and deploy the Access Manager components according.

Please refer to the Access Manager admin guide and related cool solution for more information and configuration.

3. Install and Configure Admin Console,Identity Server and Identity Server load balancer

As a prerequisite for Auto scaling, it is expected that there should be already following services are available in AWS.

  • Admin Console

  • At least one Identity Server installed and Identity server cluster configured

  • AWS Network balancer configured for Identity Server

Please refer to the Access Manager install guide for doing the same in AWS.

4. Creating Identity Server AMI

An Identity Server AMI has to be created which will be used as the source AMI for the Identity Servers instances whenever new instances are triggered from the auto-scaling group.  Following are the steps to create the Identity Server AMI.

  • Log in to the AWS Console and install a temporary Identity Server and import it into the Admin Console.

  • Log in to the Admin Console and you will see the imported Identity Server in the Not Configured state as below.

  • Delete the imported node from the Admin Console.

  • The above step will delete the Identity Server from the Admin Console but retains the Identity Server RPMs with the server instance with which we can create a Identity Server AMI

  • Login to the AWS console and stop the running temporary Identity Server instance as below.

  • Select the stopped instance and select Image -> Create image from the Action menu.

  • In the create image dialog box, provide the necessary information as below and click Create Image button.

  • The new Identity Server AMI will be available in the EC2 management console after some time.

5. Storage Configuration

This Auto scaling solution requires two AWS S3 buckets to be created.

  • Bucket1 - Private bucket. This bucket has to be uploaded with the following content.

    • Updated lambda function from  the cool tool

  • non-edited script (available in the above zip file)

  • updated data.json files (also available in the above zip file)

  • Bucket2 - Private and protected bucket using bucket policies. This bucket has to be uploaded with following content.

    • file in the following format:

ADMIN_CONSOLE_IP=<private IP address of admin console>
ADMIN_USERNAME=<admin username>
ADMIN_PASSWORD=<admin password>
CLUSTER_NAME=<IDP cluster name>
NAM_BUILD_NO=<NAM build number>

    • SSH key pair file for EC2 instances,

Since this  Bucket2 has sensitive information, it has to be  protected from unauthorized access. It has to be given access only to the namadmin and the lambda functions which will use the admin credentials and ssh key pair file to automatically configure the Identity Server instance. The AWS S3 bucket policies can be used to protect the content of this bucket.

A sample policy which can be applied to this bucket as follows:
"Version": "2012-10-17",
"Id": "Policy1523471308883",
"Statement": [
"Sid": "Stmt1523471304562",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"Action": "s3:*",
"Resource": [

In the above policy example, replace:

<AWS_ACCOUNT_ID>  with your 12 digit aws account id

<LAMBDA_FUNCTION_NAME> with your AWS lambda function

<Bucket2> with your S3 bucket name which you want to protect

6. Creating SNS topic

An AWS Simple Notification Service (SNS) topic has to be created which will receive a notification whenever a new Identity Server instance is created or terminated  by a AWS auto-scaling group.

Steps to create the SNS topic:

  • Login to AWS console. Search SNS service and select the SNS service.

  • In the SNS dashboard, click Create Topic, provide a Topic name and click Create topic button.

  • Once the topic is created you can see details about the same.

7. Creating Auto scaling launch configuration

  • Login to AWS EC2 console, in the Autoscaling section, click Launch Configuration.

  • Click Create launch configuration button. Provide the following details in the create launch configuration wizard.

    • AMI - Select the nam-autoscale-idp which was created as part of step 4 and is available under My AMIs.

  • Instances - Select the desired instance type.

  • Name: Provide a name for the launch configuration - nam-idp-autoscale.

  • IAM role - Select the IAM role which has read only access to S3 - EC2-S3-READ.

  • In the advanced option, User data section, provide the command to download the  script from the S3 storage in the IDP instance like below.

    • Example: aws s3 cp "s3://bucket1/" /tmp/ --region ap-south-1

  • Storage [optional] - you can increase the size of the root volume and additional storage volume can be added.

  • Review the wizard inputs and create the launch configuration.

  • Select the existing key ssh pair or create the new key pair for the instances.

    • Note: You have to copy the ssh key pair and keep in S3 storage (in Bucket2) which will be used by the AWS lambda to ssh the instance and to do Identity Server configuration automatically.

8. Creating the Auto scaling group

Once the launch configuration is ready, you can configure the auto-scaling group. Below are the steps:

  • Login to AWS EC2 console and click Auto Scaling -> Auto Scaling group.

  • Click Create Auto Scaling group -> select Create an Auto Scaling group from an existing launch configuration. Select the previously created launch configuration (nam-idp-autoscale) in the list of launch configurations and click Next step.

  • Provide the following details:

    • Name for the auto scaling group (Ex: nam-idp-autoscale-group).

  • Group size (also called as desired capacity ) - start with 1 instances.

  • Network - Select the Access Manager VPC which was created in step 2.

  • Subnets - Select all the subnets which are created for Identity Server deployment.

  • Advanced Details

    • Load Balancing – Check the Receive traffic from one or more load balancers

  • Target Groups – Select the Identity Server target group created while configuring the Identity Server load balance

  • Health Check type – EC2

  • Click Next: Configure scaling policies.

Scaling Policies:

AWS provides many metrics, which can be used for scaling out the EC2 instances  when the metric reaches a specified threshold. It is recommended to understand these scaling policies which suits your requirement and configure them accordingly.

Read for more details.

In this solution, a simple demonstration of a AWS scaling policy is provided in which a new EC2 instances will be created automatically when the average CPU utilization of the running instance reaches a specific threshold. Also a running instances will be terminated when the average CPU utilization of the running instances drop below the certain threshold.

It is strongly recommended to create the Auto scaling policy based the environment in which the Access Manager is deployed.

  • Notification: In the create notification section, select the previously created topic (nam-idp-autoscale in our example) and select the events for which the notification has to be sent.

  • In the next steps optionally add any tags to the configuration and finally review the configuration and click Create Auto Scaling Group.

9. Creating Auto scaling life-cycle hooks

In order for auto-scale group to automatically configure the Identity Servers when a new instance is started or terminated,auto scaling life-cycle hooks has to be configured. Life cycle hooks have to be created using AWS CLI.

Two life cycle hooks have to be configured, one for server launching and one for server for server termination.

AWS CLI syntax for creating life cycle hook:

aws autoscaling put-lifecycle-hook --lifecycle-hook-name <name_of_the_hook> --auto-scaling-group-name <name_of_autoscaling_group> --lifecycle-transition autoscaling:EC2_INSTANCE_LAUNCHING --notification-target-arn <arn_of_sns_topic> --role-arn <iam_role_ Autoscale_sns_notify> --heartbeat-timeout 300 --region ap-south-1

aws autoscaling put-lifecycle-hook --lifecycle-hook-name <name_of_the_hook> --auto-scaling-group-name <name_of_autoscaling_group> --lifecycle-transition autoscaling:EC2_INSTANCE_TERMINATING --notification-target-arn <arn_of_sns_topic> --role-arn <iam_role_ Autoscale_sns_notify> --heartbeat-timeout 30 --region ap-south-1

In the example used in this solution, the commands would look like this.

aws autoscaling put-lifecycle-hook --lifecycle-hook-name IDP_LAUNCH_HOOK --auto-scaling-group-name nam-idp-autoscale-group  --lifecycle-transition autoscaling:EC2_INSTANCE_LAUNCHING --notification-target-arn arn:aws:sns:ap-south-1:354878439984:nam-idp-autoscale --role-arn arn:aws:iam::354878439984:role/AUTOSCALE-NOTIFICATION  --heartbeat-timeout 300 --region ap-south-1

aws autoscaling put-lifecycle-hook --lifecycle-hook-name IDP_TERMINATE_HOOK --auto-scaling-group-name nam-idp-autoscale-group  --lifecycle-transition autoscaling:EC2_INSTANCE_TERMINATING --notification-target-arn arn:aws:sns:ap-south-1:354878439984:nam-idp-autoscale  --role-arn arn:aws:iam::354878439984:role/AUTOSCALE-NOTIFICATION  --heartbeat-timeout 30 --region ap-south-1

10. Creating Lambda function

An AWS lambda function has to be created which will registers for the SNS topic and based on the notification, it will either instantiates or terminate the Identity Server.

A working lambda function is already developed and is available as a cool tool at this link.

The zip file has the following content:

  • A python lambda function which commissions/decommissions the Identity Server automatically, when Auto-scaling launches or terminates an Identity Server instance.

  • The necessary python run-time libraries to run this lambda function.

  • -  script to configure the Identity Server, which has to be upload to S3 bucket without editing.

  • json - a JSON data file which contains environment specific information which the namadmin has to modify according to the environment.

Following are the steps to use the lambda function.


  • Unzip the zip file.

  • Copy the to the Bucket1 created in step 4.

  • Edit the data.json and modify the file with the  information with respect to your environment.

     "data" : {
     "CredentialsBucket" : "<secure bucket having>",
     "PrivateKeyFile" : "<PEM file name for EC2 instances>",
     "IDP" : {
             "AdminPropertiesFile" : "",
           "LifecycleHook" : {
                "Launch" : "<idp-launch-hook>",
                "Terminate" : "<idp-termination-hook>"
       "AG" : {
           "AdminPropertiesFile" : "",
           "LifecycleHook" : {
                "Launch" : "ag-launch-hook",
                "Terminate" : "ag-termination-hook"

An example data.json with the example used in this solution may look as below:

     "data" : {
     "CredentialsBucket" : "bucket2",
     "PrivateKeyFile" : "nam-instances",
     "IDP" : {
             "AdminPropertiesFile" : "",
           "LifecycleHook" : {
             "Launch" : "IDP_LAUNCH_HOOK",
              "Terminate" : "IDP_TERMINATE_HOOK"
       "AG" : {
           "AdminPropertiesFile" : "",
           "LifecycleHook" : {
                "Launch" : "ag-launch-hook",
                "Terminate" : "ag-termination-hook"

NOTE: Current version of this tool works with only for Identity Server auto-scaling. The Access Gateway functionality will be added shortly and a separate solution is made available along with the tool.

  • Again create the zip archive of the extracted content having updated data.json.

  • Copy the zip file to the S3 private bucket - Bucket1.

Creating Lambda function:

  • Login to AWS Lambda console.

  • Click Create Function

  • Select Author from scratch, provide the following details

    • Name: idpAutoScaleLamba

  • Runtime: Python 2.7

  • Role: Choose an existing role

  • Existing role: LAMBDA-EC2-S3

    • Note: This lambda function name should be same as the assumed-role item of the Bucket policy of the Secured Private bucket - Bucket2 as describe in step 5

  • Click Create function. This will launch the Lambda Configuration page which has following section.

  • Designer: Here you need to specify the trigger for this Lambda function.

    • Click SNS, the SNS service will be added as the trigger.

  • In the Configure triggers section, in the SNS topic drop-down, select the nam-idp-autoscale, click Add

  • Function code section, give the details as below.

    • Code Entry type :- Select Upload a file from S3

  • Runtime : Python 2.7

  • Handler :  mainHandler.handler

  • Execution role section, select

    • Choose an existing role

  • Existing role - Select - LAMBDA-EC2-S3 Role from the drop down

  • In the Network Section select

    • VPC - Select the Access Manage VPC

  • Subnet -> Select both the subnets of the VPC

  • Security Group - Select the Identity Server security group

Save the setting.

With the successful configuration of the above steps, the Identity Server will be configured for auto-scaling in AWS cloud.



How To-Best Practice
Comment List