Deploy an Ubuntu/Debian Amazon Web Services Server with Userdata and an Enrollment Token


This guide provides the information you need to deploy an Ubuntu/Debian Amazon Web Services Cloud Server with systemd to your Advanced Server Access team. Depending on your target server and enrollment type some topics in this guide may not apply to you, such as if your team's project will not be using enrollment tokens, or if you plan to add a different server type to your project. Modify your steps as needed to fit your team or refer to a different guide on the cloud deployments page.

Creating a cloud server with Userdata means installing the Advanced Server Access Agent simultaneously while you create a server with a cloud provider. Using user data to install software on a new cloud server can be done through any cloud provider, although user data helps dictate the specific software that you want on your servers. Installing the Advanced Server Access AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. on a Cloud Server doesn't need to be done when the cloud server is created, but running the installation as a startup script alongside a server's creation ensures that your Cloud Deployment is as safe and secure as possible.


You need the following permissions and resources to deploy an Amazon Web Services Server with Userdata

Amazon Web Services

Requirement Description
Amazon Web Services Account An Amazon Web Services account is needed to access the AWS Management console, where you can create a Virtual Machine for your team.

Advanced Server Access

Requirement Description
Advanced Server Access Team This is the top-level object that is representing an organization within Advanced Server Access.
Advanced Server Access Project This is the authorization-scope of your team, organizing your Users, Groups, and Servers.


Deploying an Amazon Web Services Server with Userdata has two major sections: Creating your team's server within the Amazon Web Services Management Console and Enrolling your new Server in your Advanced Server Access project. Click each link below to navigate to the instructions for each process.

  1. Create an Enrollment Token in the Advanced Server Access Console
  2. Create and Enroll your Amazon Web Services Server with Userdata

Create an Enrollment Token in the Advanced Server Access Console

  1. Within theAdvanced Server Access console, select the Projects header at the top of the page
  2. Select the project you want to add your server to
  3. Click the Enrollment tab within that Project's console and click the Create an Enrollment Token button

    Note: You can use the same enrollment token every time you add a server to your team. If you have already created an enrollment token, skip this step.

  4. Create a description for your new Enrollment token if prompted, and click Submit
  5. Once the token has been successfully created, copy the string of numbers in the Token field and save it for later

Create and Enroll your Amazon Web Services Server with Userdata

  1. Log into the Amazon Web Services Management Console.

  2. Click the Services tab at the top of the console and select the EC2 option in the Compute category to create a new EC2 Server
  3. Click the Launch Instance button to begin setup
  4. On the Choose an Amazon Machine Image page, scroll down the page and click the Select button for Ubuntu server 16.04 LTS (HVM), SSD Volume Type. Doing this sets your new instance as an Ubuntu/Debian Server with systemd
  5. On the Choose an InstanceAn instance, or computer instance, is a virtual machine (VM) or individual physical computer, used to host a software appliance. Type page, click the Next: Configure Instance Details button
  6. Select the Advanced Details dropdown on the Configure Instance Details page to access the User Data text box
  7. Within the User data text box, copy and paste the following:

    echo "Add an enrollment token"
    sudo mkdir -p /var/lib/sftd
    echo "<enrollment-token>" | sudo tee /var/lib/sftd/enrollment.token
    export DEBIAN_FRONTEND=noninteractive
    echo "Add a basic sftd configuration"
    sudo mkdir -p /etc/sft/
    sftcfg=$(cat <<EOF
    # CanonicalName: Specifies the name clients should use/see when connecting to this host.
    CanonicalName:            "ubuntu-target"
    echo -e "$sftcfg" | sudo tee /etc/sft/sftd.yaml
    echo "Retrieve information about new packages"
    sudo apt-get update
    sudo apt-get install -y curl
    echo "Add the ScaleFT testing apt repo to your /etc/apt/sources.list system config file"
    echo "deb linux main" | sudo tee -a /etc/apt/sources.list
    echo "Trust the repository signing key"
    curl -C - | sudo apt-key add -
    echo "Retrieve information about new packages"
    sudo apt-get update
    echo "Install sftd"
    sudo apt-get install scaleft-server-tools

    Note: This script creates a sftd.yaml file for your server and uses ubuntu-target as its CanonicalName. Modify and generate this information as needed to fit your teams and project environments.

  8. Replace <enrollment_token> in the pasted text with the token information you copied in the Create an Enrollment Token in Advanced Server Access section above
  9. Click the Review and Launch button and then press Launch at the bottom right corner of the screen.
  10. Select the dropdown in the Select an existing key pair or create a new key pair window and choose the Proceed without a key pair option
  11. Confirm and acknowledge your choice by selecting the relevant checkbox before clicking the Launch Instances button
  12. Select the View Instances button, and you should see your new server initializing on the Instances page

Ensure that your new server is listed in your Project's Server tab within the Advanced Server Access console before trying to SSH into your team's servers.