orchestrator
latest
false
UiPath logo, featuring letters U and I in white

Orchestrator User Guide

Automation CloudAutomation Cloud Public SectorAutomation SuiteStandalone
Last updated Dec 18, 2024

Cloud Provider Setup

Setup in Azure

If your cloud service provider is Microsoft Azure, follow the instructions in this section to prepare to connect Orchestrator to Azure.

Note: If you are not the Azure administrator, skip this section and instead reach out to your IT team to perform these steps and ask them to provide the details listed under Azure Requirements.
  1. Sign in to Azure with an administrator account.
  2. Navigate to App registrations and create an app registration for your Orchestrator instance.
  3. Copy the Application (Client) ID and Directory (Tenant) ID and save them for later use.


  4. Navigate to Certificates & secrets and create a client secret.
  5. Copy the Value of the client secret and save it for later use.


  6. Navigate to Resource groups and create a resource group for your Orchestrator.
  7. Copy the Subscription ID and save it for later use.
    If you already have a resource group that you want to use, open the overview for that resource group to get the Subscription ID.
    docs image
  8. Navigate to Access Control (IAM), search for the name you gave to your Orchestrator app registration, and assign the Contributor role to it.

Preparing a Virtual Machine Image

Note: If you intend to use customized VMs instead of a template VM, skip this section and instead create the VMs you want to use for elastic robot orchestration.

Robots need a machine on which to run. As part of elastic robot orchestration, we can use your cloud-hosted virtual machine (VM) to create machines on demand for robots to run when needed.

When creating a virtual machine in Azure, Microsoft provides a set of images to build your virtual machines. They are images of different operating systems, such as Windows Server or Windows 10 Pro, that allow you to install the software you need to run automation jobs.

To capture a virtual machine image:

  1. Create a virtual machine in your Azure account and connect to it:
    1. Navigate to Virtual machines and create a virtual machine for the resource group you created earlier.
    2. Connect to your virtual machine.
  2. Create the local user and install the needed automation software:
    Important: Do not join the virtual machine to a domain.
    1. Update Windows and reboot if necessary.
    2. Create a local user for the unattended robot (for example, uirobot). Assign the Administrator role to the local user, clear User must change password at next login, and select Password never expires.
    3. Grant remote access permissions on the virtual machine to the local user.
    4. Log out from the administrator account and log in as the local user.
    5. Install any supporting software you need for automations, such as Microsoft Excel or Google Chrome. You do not need to install UiPath software, we do that for you.
    6. Log out from the robot account and log in as an administrator.
    Important: If you have installed the robot (optional), make sure you do not connect it to Orchestrator, otherwise you won't be able to use the Virtual Machine image.
  3. Create a generalized Virtual Machine image:
    Use the Sysprep tool to generalize the virtual machine.
    Note: sysprep.exe disconnects your session halfway through.
  4. After the status of the virtual machine changes to Stopped, create a managed image of your virtual machine.
    Note: Select the same resource group as for the virtual machine. Also, select No, capture only a managed image.

You now have a fully configured image that you can use to create new virtual machines for automation.

Setup in AWS

If your cloud services provider is Amazon Web Services (AWS), follow the instructions in this section to configure Amazon Elastic Compute Cloud (Amazon EC2) for elastic robot orchestration.

Note: If you are not the AWS administrator, skip this section and instead reach out to your IT team to perform these steps and ask them to provide the details listed under AWS Requirements .

AWS best practices

Choosing the right AWS region: Ensure Amazon Virtual Private Cloud (Amazon VPC) is located in an appropriate region. We recommend you always pick the AWS region that is closest to the region where your Orchestrator instance is hosted when creating an elastic robot pool. Consider both latency and data transfer costs between Orchestrator, Robots, and the customer application when determining the location of the VPC. Contact the UiPath support team for details on how to allocate all your assets close to each other. Learn more about regions and instances in the Getting Started guide.

Capacity and cost optimization: Ensure Amazon Elastic Compute Cloud (Amazon EC2) resources are sized appropriately according to the deployment, customer requirements, and UiPath best practices. Amazon EC2 passes on to you the financial benefits of Amazon’s scale. See Amazon EC2 Instance Purchasing Options for a more detailed description of Amazon EC2 pricing. UiPath allows you to use your existing machines to take advantage of your optimized EC2 size configuration. We recommend downsizing or terminating idle or underutilized Amazon EC2 instances to optimize costs.

Calculate the costs: You can use the AWS pricing calculator to get an estimate of Total Cost of Ownership (TCO) for UiPath infrastructure deployed on AWS, by using the AWS label UiPath:Managed: true. The cost displayed in the calculator is for the infrastructure only. To get a more accurate TCO value, also consider the cost of UiPath licenses.

Generate an AWS Access Key

  1. Log in to the Amazon EC2 console as a user who has the following permissions:

    Permission Category

    Read / List

    Update

    Create

    Delete

    ec2:*

    All

    All

    All

    All

    cloudformation:*

    All

    All

    All

    All

    ssm:*

    All

    All

    All

    All

    iam.*

    iam:GetInstanceProfile

    iam:ListInstanceProfiles

    iam:GetRole

    iam:ListRoles

    iam:PutRole

    iam:PutRolePolicy

    iam:PassRole

    iam:AddRoleToInstanceProfile

    iam:CreateInstanceProfile

    iam:CreateRole

    iam:RemoveRoleFromInstanceProfile

    iam:DeleteInstanceProfile

    iam:DeleteRole

    iam:DeleteRolePolicy

  2. Follow the Amazon documentation to create an access key.
  3. Save the access key ID and secret access key for later use.

Create an AWS EC2 Image

Note: If you intend to use customized VMs instead of a template VM, skip this section and instead create the VMs you want to use for elastic robot orchestration.
  1. Log in to the Amazon EC2 console.
  2. Follow the Amazon documentation to create an AWS EC2 instance and perform the following as part of the process:
    1. For the AMI, choose a Windows 10 or a Windows Server image. If one does not exist, you must create it.
    2. While connected over RDP, install any Windows updates and reboot if necessary.
    3. After rebooting, install any supporting applications you need for automations, such as Microsoft Excel or Google Chrome. You do not need to install UiPath software, we do that for you.
    4. Delete the folder C:\Windows\Panther.
    5. Create a Windows local user for the robot, for example, robot and grant remote desktop rights to it.
    6. Press Ctrl + Alt + Delete and change the password for the robot user.
    7. Open the Ec2 Launch Settings and click Shutdown with Sysprep along the bottom.

      Sysprep is a Microsoft tool and you use it to create a generalized machine image for EC2.

  3. After Sysprep finishes, in the Amazon EC2 console, wait for the instance to shut down, then right-click and go to Image and templates > Create image:


You can see the new image in the Amazon EC2 console, on the left under Images > AMIs. You now have a fully configured image that you can use to create new virtual machines for automation.

Implementing role-based authentication

Implementing role-based authentication helps security, since the credentials provided to a role are temporary. This limits the potential impact if they are compromised.

To set up the Identity and Access Management (IAM) role-based authentication:

  1. Add your provider: go to the AWS Console > Identity and Access Management (IAM) > IAM Dashboard page.
    1. Under IAM resources, select Identity providers.
    2. Select Add provider.
    3. For the Provider type, select OpenID Connect.
    4. In the Provider URL field, write: sts.windows.net/d8353d2a-b153-4d17-8827-902c51f72357/.
    5. In the Audience field, write: 55640c46-3d06-4875-9c8a-624cad15aaf7.
    6. Finish the provider configuration by hitting Add provider.
  2. Configure the policy: go to the IAM Dashboard page.
    1. Under IAM resources, select Policies.
    2. Select Create policy.
    3. Switch to the JSON option.
    4. In the Policy editor, copy-paste the following policy in JSON format:
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "ec2:*",
              "cloudformation:*",
              "ssm:*",
              "iam:GetInstanceProfile",
              "iam:ListInstanceProfiles",
              "iam:GetRole",
              "iam:ListRoles",
              "iam:PutRolePolicy",
              "iam:PassRole",
              "iam:AddRoleToInstanceProfile",
              "iam:CreateInstanceProfile",
              "iam:CreateRole",
              "iam:RemoveRoleFromInstanceProfile",
              "iam:DeleteInstanceProfile",
              "iam:DeleteRole",
              "iam:DeleteRolePolicy"
            ],
            "Resource": "*"
          }
        ]
      }{
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "ec2:*",
              "cloudformation:*",
              "ssm:*",
              "iam:GetInstanceProfile",
              "iam:ListInstanceProfiles",
              "iam:GetRole",
              "iam:ListRoles",
              "iam:PutRolePolicy",
              "iam:PassRole",
              "iam:AddRoleToInstanceProfile",
              "iam:CreateInstanceProfile",
              "iam:CreateRole",
              "iam:RemoveRoleFromInstanceProfile",
              "iam:DeleteInstanceProfile",
              "iam:DeleteRole",
              "iam:DeleteRolePolicy"
            ],
            "Resource": "*"
          }
        ]
      }
      
    5. Select Next.
    6. Provide a Policy name and, optionally, a Description.
    7. Finish the policy configuration by hitting Create policy.
  3. Create and configure roles: go to the IAM Dashboard page.
    1. Under IAM resources, select Roles.
    2. Select Create role.
    3. For the Trusted entity type, select Web Identity.
    4. In the Identity provider field, write the same value used in step 1, for the Provider URL field.
    5. In the Audience field, write the same value used in step 1, for the Audience field.
    6. Select Next to add permissions.
    7. In the Permissions policies field, search for the policy created in step 2, then select it.
    8. Select Next for final configurations.
    9. Provide a Role name and, optionally, a Description.
    10. Finish the role configuration by hitting Create role.
  4. Copy the Role ARN of the newly created role:
    1. Go to the IAM Dashboard page.
    2. Select Roles from the left-side panel. This opens the Roles page.
    3. Under Summary, copy the value for the ARN.
  5. Paste the role ARN value when setting up the AWS connection in Orchestrator.

    The Role ARN ID field is displayed after you select the ARN Based Authentication.

Setup in GCP

If your cloud service provider is Google Cloud Platform (GCP), follow the instructions in this section to prepare to connect Orchestrator to GCP.

Note: If you are not the GCP administrator, skip this section and instead reach out to your IT team to perform these steps and ask them to provide the details listed under GCP Requirements.
  1. Create a new project in GCP.
  2. Get the Project ID and save it for later use.
  3. Create a service account in your GCP project.
  4. Create a service account key in JSON and save the Private Key value for later use.

Creating Virtual Machines

If you want to use elastic robot orchestration and have us create machines for you on demand, you must create custom machine images in your GCP project.

The following instructions are a sample configuration for creating an image from a persistent disk, which is created from an existing Windows VM you have under your project.

  1. Log in to the Google Cloud Console.
  2. Click Compute Engine, and then under Virtual machines click VM instances.
  3. Click Create Instance at the top of the page.
  4. Fill in the details as follows:
    • For Name,Region, and Zone, you can specify whatever you want.
    • For Machine configuration, you can leave the default values.
    • Under Boot disk, click Change and then click Public Images.
    • For Operating system, select Windows.
    • Under Version select any of the Windows Server 2019 options.
    • You can accept the defaults for Boot disk type and Size (GB), or you can modify them according to your needs.
  5. Click Create.
  6. After boot disk is ready, you can click Create and GCP creates the virtual machine (VM) for you.
  7. To be able to use a custom image created from the VM, stop the VM you just created.
  8. At the side of the page, go to Storage and click Images.
  9. At the top of the page, click Create Image.
  10. Continue with these instructions to create a Windows image.

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.