NetIQ Access Manager: Auto Scaling of Identity Server in AWS - Lambda function

With NetIQ Access Manager 4.4 SP1 release, Access Manager started supporting leading public clouds - AWS and Azure. To reduce the infrastructure cost, NAM admins can scale-out and scale-in the Identity Servers based on certain parameters like CPU utilization, Network In & Out, etc. The scaling operations can be scheduled as well based on timing requirements.

The AWS provides Auto-scaling service to achieve the above objective seamlessly. However, when Auto-scaling launches an instance, it needs to perform certain initial configurations in-order to commission the Identity Server in the Admin Console. Similarly when Auto-scaling terminates an instance, it needs to perform certain operations to decommission it from the Admin Console.

This tool contains the following:

  • A python lambda function which commissions/decommissions the Identity Server automatically, when Auto-scaling launches or terminates an Identity Server instance.

  • The necessary python runtime libraries to run this lambda function.

  • - a script to configure the Identity Server, which the NAM admin has to upload to the S3 storage bucket

  • data.json - a JSON data file which containing environment details for AWS specific to the NAM admin's cloud

NOTE: This documentation assumes the user to have the working knowledge of various AWS services.


  1.  A separate Access Manager Virtual Private Cloud  and subnets configured to deploy the access manager components. (Refer: Deploying NetIQ Access manager on AWS EC2)

  1. The Admin Console installed and configured. At least one Identity Servers is installed and imported to the Admin Console. The Identity Server cluster should be created with all the required configuration. (Refer: Installing NetIQ Access Manager)

  1. Identity Server AMI to be used as the source image for Identity Server deployments. Following are the  High level steps to create Identity Server AMI.

    1. Deploy a temporary Identity Server instance and import in the admin console.

  2. Delete the temporary Identity server node from Admin Console.

  • Go to EC2 dashboard and stop the temporary Identity server instance.

  • Right click on the temporary IDP server instance. Go to image > Create Image. Follow on-screen instructions.

  1. IAM roles for the following AWS services:

    1. Role1: EC2 Service to read the content from S3

  2. Role2: Autoscaling service to send SNS notification.

  • Role3: Lambda service to Access to EC2, S3 and CloudWatch

  1. SNS topic to send the event notifications to the subscribed lambda function.

  • AWS autoscaling launch configuration created using the Identity Server AMI, Identiy Server security group, the Role1 from point 3 to be assumed, SSH Access PEM file, and the desired instance type. Specify following command in User Data field:

    •  aws s3 cp "s3://<S3_Bucket_Name>/" /tmp/ --region <region_code>

  1. AWS Autoscaling group created using the above launch configuration with a proper scaling policy or scheduled actions.

  1. Two AWS autoscaling hooks are created one for instance launch and one for instance termination using AWS CLI.

  1.  In the secured S3 bucket (accessible only to the NAM administrator and the autoscaling lambda function), SSH Access PEM file and file created in the following format:

                      ADMIN_CONSOLE_IP=<private IP address of admin console>
ADMIN_USERNAME=<admin username>
ADMIN_PASSWORD=<admin password>
CLUSTER_NAME=<IDP cluster name>
NAM_BUILD_NO=<NAM build number>

Setting up Lambda:

  1. Download and extract the provided zip "".

  • Upload the "" to separate S3 bucket

  • Open data.json and edit the values based on your configuration as follows:

    •  {
      "data" : {
      "CredentialsBucket" : "<secure bucket having>",
      "PrivateKeyFile" : "<PEM file name for EC2 instances>",
      "IDP" : {
      "AdminPropertiesFile" : "",
      "LifecycleHook" : {
      "Launch" : "<idp-launch-hook>",
      "Terminate" : "<idp-termination-hook>"
      "AG" : {
      "AdminPropertiesFile" : "",
      "LifecycleHook" : {
      "Launch" : "ag-launch-hook",
      "Terminate" : "ag-termination-hook"

NOTE: Current version of this tool works with only Identity server. The Access Gateway functionality will be added shortly.

  1. Create the zip  of the extracted content along with the updated data.json and upload to the S3 bucket where the is uploaded.

  • Login to AWS lambda and open the lambda function which is already subscribed to SNS topic.

  • In the "Function Code" section select "Upload a file from S3" in "Code entry type". Provide the S3 URL to "".

  • Set the Network to your VPC and use the proper subnet.

  • In the text box for "Handler" write "mainHandler.handler" (without quotes). Set the Runtime to Python 2.7. Set the Timeout to maximum in "Basic Settings" and save.

To Test the IDP Autoscaling scale out functionality:

  • Go to created Auto-scaling group > Details.

  • Set the Min value to 0 and Max value to your desired max value. Set the Desired value to 1 & Save.

  • If all the configurations are good, you will see a new Identity Servers is instantiated and added to the IDP cluster in admin console.

To Test the IDP Autoscaling scale in functionality:

  • Go to created Auto-scaling group > Details.

  • Set the Min value to 0 and Max value to your desired max value. Set the Desired value to 0 & Save.

  • If all the configurations are good, you will see a newly added Identity Servers is removed from IDP cluster in admin console and the instance is terminated.

Additionally, you can open CloudWatch > Logs > /aws/lambda/<your_lambda_function> and  monitor the logs for more information.

Congratulations you have set-up Auto-scaling for IDP successfully.

If something doesn't go well, do post your comments here. Suggestions are welcome.


How To-Best Practice
Comment List