RightScale is a separate platform than the clouds it manages, and thus has its own Authentication and Authorization mechanisms. However, we do support Multi-Factor Authentication through our support of SAML and identity federation.
RightScale currently does not support AWS MFA as an authentication mechanism in the RightScale dashboard.
However, the RightScale Cloud Management Platform supports the following end-user authentication mechanisms:
By leveraging SAML, RightScale can integrate with customer identity platforms such as Active Directory (ADDS and ADFS) or third-party identity platforms such as Okta, Ping, OneLogin, and others.
Two-factor authentication for access to RightScale can be implemented in a federated manner through any of the above identity management platforms or via OpenID.
You may leverage IP whitelisting capabilities in the RightScale platform to limit access to RightScale Cloud Management based on user IP address. Whitelisting policies apply to both the RightScale UI and API.
A session timeout is in place, and inactive sessions are invalidated after a period of inactivity. The session timeout is two hours for inactive sessions, and this timeout applies to both UI and API sessions. See User and Account Management.
Note for Amazon Web Services
There are two cases for using AWS MFA on an AWS account:
When accessing the AWS API
RightScale uses API interactions between the RightScale gateway and the AWS API endpoint, so enabling AWS MFA for AWS console access (use case #1) has no effect on RightScale operations or access. However, if a user enables AWS MFA for API access (use case #2), this will break RightScale's ability to communicate with the AWS API endpoint. The main issue is when enabling AWS MFA for API access, the tokens are short lived (36 hours max at this time). Per http://docs.aws.amazon.com/IAM/lates...tectedAPI.html: "MFA-protected API access is available only to services that support temporary security credentials"
Since RightScale must have long term API access, the user would have to enter new credentials every day and a half (36 hrs), which isn't practical. MFA-protected API access only controls access for IAM users. Root accounts are not bound by IAM policies, which is why AWS recommends that you create IAM users to interact with AWS service APIs rather than use root account credentials. To learn how you can use IAM in RightScale, see Can I use AWS Identity and Access Management (IAM) to further restrict user access?
© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.