Environments and connections

Runtime environments and Robocorp Workforce Agent

Robocorp runtime environment is a term for different ways of deploying software robots in remote locations. There are two ways of deploying software robots:

  1. on a self-hosted installation on a local computer, server, or virtualized platforms, or
  2. in a Cloud hosted container runtime environment

Robocorp Workforce Agent

The self-hosted installation of the Robocorp runtime environment is called Robocorp Workforce Agent. It links a computer to Control Room Workspace and enables Control Room to deploy and operate software robots on the computer securely. Workspace admins can download installers for Robocorp Workforce Agent from Control Room, under "Environments". Supported operating systems are macOS, Windows, and Linux (AppImage).

Self-hosted installation is suitable for all kinds of different use cases where the user manages the running environment, e.g., on-premise servers, virtual machines, or user-hosted containers. Self-hosted installation is required for software robots that require access to the local resources and systems that are not accessible from the Internet.

Optimal security practices for Robocorp Workforce Agent

Robocorp Workforce Agent is used to run automation code on the computer, server, or virtualized operating systems or containers. Therefore it is important to keep in mind some security best practices to keep in mind while using Robocorp runtime environments:

  1. Protect your Robocorp account with a strong password and avoid using shared accounts
  2. Protect your Control Room API keys and avoid hard-coding them directly into software robot or other source code
  3. Verify source code of software robots
  4. Do not run Robocorp runtime environments with root or administrator-level privileges. If possible, create a separate user with limited access rights to the underlying operating system and other devices on the network.

Robocorp Workforce Agent linking with Control Room

Robocorp Workforce Agent can be linked to Control Room in two ways:

  1. Log in to your Robocorp account via the Robocorp Workforce Agent and select a Workspace
  2. Choose the "Link token" option to use a generated one-time and short-lived token that can be generated in each Control Room Workspace, under "Environments".

If you choose the first option to link the Robocorp Workforce Agent to Control Room via login, you can directly authenticate to Control Room and choose a Workspace from a list based on the Workspaces you have been invited to or created.

The second option relies on a one-time token used to establish a trusted connection between the Control Room Workspace and a Robocorp Workforce Agent. For security reasons, this token needs to be regenerated if multiple Apps are added.

Robocorp Workforce Agent secure communication with Control Room

Robocorp Workforce Agent connects to Control Room over an encrypted HTTPS connection on port 443. All connections are outbound from the Robocorp runtime environment, requiring typically zero firewall rules to be added.

The control channel between Control Room runtime environment and Control Room is implemented using the WebSocket protocol, and the rest of the communication uses traditional HTTP endpoints (REST API). All communication is encrypted on the transport layer. Additional end-to-end encryption and digital signatures are utilized on the application layer for specific important operations, such as Vault secret transportation.

Control Room runtime environment

Control Room offers a managed version of a cloud runtime environment, which is launched on-demand in the cloud when robot execution starts. Under the hood, there is a Docker container that runs the Workforce Agent and executes one robot.

No local state is maintained between robot runs because a fresh container is used for each run. Currently, one Linux-based container option is available, providing a way to execute robots with no hardware setups.

The container runtime environments operate on hardened and isolated server instances.

What data is sent from the Robocorp runtime environment to Control Room?

For the Control Room runtime environment to operate in a Control Room Workspace, the only mandatory communication needed is workload-agnostic control data. Control data includes commands from the cloud and generic status information towards the cloud. By default, also standard output and error streams are delivered to Control Room for convenience.

Additionally, Control Room provides several opt-in services for typical robotic process automation (RPA) use cases.

The software robot developer has full control over what happens to other data being accessed during the robot execution. The software robot developer can choose not to send sensitive data to Control Room in work item payloads and artifacts.

How are artifacts stored and transferred from Robocorp runtime environment to Robocorp Control Room?

Artifact storage is backed by Amazon S3, and data is encrypted at rest using AWS-provided methods. Artifacts are transferred securely over HTTPS using short-lived S3 pre-signed requests. You may consider implementing application-level encryption as an additional security measure; however, Robocorp does not currently include any specific tooling for this purpose.

Assistants (attended robots)

The runtime environment concept serves the unattended robot use cases where Control Room handles the triggering. The end-user always triggers the Assistants.

September 14, 2021