Complete the following steps to download and install the PingIntelligence policy tool:
  1. Download the PingIntelligence policy tool to the /opt directory.
  2. Complete the following steps to untar the policy tool:
    1. At the command prompt, type the following command to untar the policy tool file:
      tar –zxvf <filename>
      For example:
      tar –zxvf pi-aws-4.0.tar.gz
    2. To verify that the tool successfully installed, type the ls command at the command prompt. This should list the pingidentity directory and the build .tgz file.
The following table lists the directories:
Directory Description
bin Contains the following scripts:
  • The script to deploy the PingIntelligence policy.
  • The script to undeploy the PingIntelligence policy.
  • Reports the deployment status of IAM role and Lambda function.
lib Jar files and various dependencies. Do not edit the contents of this directory.
Contains the request and response Lambda functions:
config Contains the file.
logs Contains the log and status files.

Configure the automated tool

Configure the file available in the /pingidentity/pi/aws/config/ directory. The following table describes the variables in the file:
Variable Description
mode Choose the authentication mode between keys and role
Note: If you running the PingIntelligence policy tool from your local machine, use the keys mode. If you are running the tool from an EC2 instance, use the rolemode.
access_key AWS access key. This is applicable when the mode is set to keys
secret_key AWS secret key. This is applicable when the mode is set to keys
aws_lambda_memory AWS Origin Response Lambda memory in MB. Default value is 1024 MB. The memory can be configured in multiple of 64. Minimum and maximum value are 128 and 3008 respectively. For more information, see AWS Lambda Pricing
cloudfront_distribution_id The CloudFront distribution ID.
ase_host_primary The ASE primary host IP address and port or hostname and port
ase_host_secondary The ASE secondary host IP address and port or hostname and port. ASE secondary host receives traffic only when the primary ASE host is unreachable.
Note: This field cannot be left blank. In a testing environment, enter the same IP address for primary and secondary ASE host.

If both the ASE hosts are unreachable, the request is directly sent to the backend API server.

ase_ssl Enable or disable SSL communication between Lambda functions and ASE. The default value is true.
ase_sideband_token Enter the ASE token generated during the prerequisite step.

Following is a sample file:

# Copyright 2019 Ping Identity Corporation. All Rights Reserved.
# Ping Identity reserves all rights in The program as delivered. Unauthorized use, copying,
# modification, reverse engineering, disassembling, attempt to discover any source code or
# underlying ideas or algorithms, creating other works from it, and distribution of this
# program is strictly prohibited. The program or any portion thereof may not be used or
# reproduced in any form whatsoever except as provided by a license without the written
# consent of Ping Identity.  A license under Ping Identity's rights in the Program may be
# available directly from Ping Identity.

#Authentication mode access-key & secret-key / role based access. Values can be keys or role.
#AWS access key
#AWS secret key
#AWS Lambda memory in MB. It should be a multiple of 64. Minimum and maximum value are 128 and 3008 respectively.
#Cloudfront distribution ID

#ASE Primary Host <IP/Host>:<port>
#ASE Secondary Host <IP/Host>:<port>
#ASE SSL status
#ASE sideband authentication token

Create Role

If you have set the authentication mode as role in the file, create a role for the EC2 instance. This role is required for the PingIntelligence policy deployment tool. Complete the following steps to create and configure.
  1. Select EC2 as service and click on Next: Permissions button:
  2. Choose the following three Policies and provide a name for each role (for example, PIDeploymentToolRole):
    • IAMFullAccess
    • AWSLambdaFullAccess
    • CloudFrontFullAccess
    • AmazonEC2FullAccess

    After providing the name, click on Create role.

  3. In the Summary page of the role that you created in step 2, click on the Trust relationships tab and then click on Edit trust relationship button: