Workers and connections

Unattended Workers and Robocorp Workforce Agent

Robocorp unattended worker is a term for different ways of deploying software robots in remote locations. There are two ways of deploying software robots:

  1. on a self-hosted installation on a local computer, server, or virtualized platforms, or
  2. in a Cloud hosted container unattended worker

Robocorp Workforce Agent

The self-hosted installation of the Robocorp Unattended Workers is done using applications called Robocorp Workforce Agent. It links a computer to Control Room Workspace and enables Control Room to deploy and operate software robots on the computer securely. There are multiple different options to setup Robocorp Workforce Agent, so you can find the correct setup for you. Supported operating systems are macOS, Windows, and Linux (AppImage).

Self-hosted installations are suitable for all kinds of different use cases where the user manages the running environment, e.g., on-premise servers, virtual machines, or user-hosted containers. Self-hosted installation is required for automations that require access to the local resources and systems that are not accessible from the Internet.

Optimal security practices for Robocorp Workforce Agent

Robocorp Workforce Agent is used to run automation code on the computer, server, or virtualized operating systems or containers. Therefore it is important to keep in mind some security best practices to keep in mind while using Robocorp unattended workers:

  1. Protect your Robocorp account with a strong password and avoid using shared accounts
  2. Protect your Control Room API keys and avoid hard-coding them directly into software robot or other source code
  3. Verify source code of software robots
  4. Do not run Robocorp unattended workers with root or administrator-level privileges. If possible, create a separate user with limited access rights to the underlying operating system and other devices on the network.

Robocorp Workforce Agent linking with Control Room

Robocorp Workforce Agent can be linked to Control Room in two ways:

  1. Log in to your Robocorp account via the Robocorp Workforce Agent and select a Workspace
  2. Choose the "Link token" option to use a generated one-time and short-lived token that can be generated in each Control Room Workspace, under Workers.

If you choose the first option to link the Robocorp Workforce Agent to Control Room via login, you can directly authenticate to Control Room and choose a Workspace from a list based on the Workspaces you have been invited to or created.

The second option relies on a one-time token used to establish a trusted connection between the Control Room Workspace and a Robocorp Workforce Agent. For security reasons, this token needs to be regenerated if multiple Apps are added.

Robocorp Workforce Agent secure communication with Control Room

Robocorp Workforce Agent connects to Control Room over an encrypted HTTPS connection on port 443. All connections are outbound from the Robocorp unattended worker, requiring typically zero firewall rules to be added.

The control channel between Control Room unattended worker and Control Room is implemented using the WebSocket protocol, and the rest of the communication uses traditional HTTP endpoints (REST API). All communication is encrypted on the transport layer. Additional end-to-end encryption and digital signatures are utilized on the application layer for specific important operations, such as Vault secret transportation.

Robocorp Hosted Cloud Worker

Control Room offers a managed version of a Robocorp Hosted Cloud Worker, which is launched on-demand in the cloud when robot execution starts. Under the hood, there is a Docker container that runs the Workforce Agent and executes one robot.

No local state is maintained between robot runs because a fresh container is used for each run. Currently, one Linux-based container option is available, providing a way to execute robots with no hardware setups.

The container unattended workers operate on hardened and isolated server instances.

What data is sent from the Robocorp unattended worker to Control Room?

For the Control Room unattended worker to operate in a Control Room Workspace, the only mandatory communication needed is workload-agnostic control data. Control data includes commands from the cloud and generic status information towards the cloud. By default, also standard output and error streams are delivered to Control Room for convenience.

Additionally, Control Room provides several opt-in services for typical robotic process automation (RPA) use cases.

The software robot developer has full control over what happens to other data being accessed during the robot execution. The software robot developer can choose not to send sensitive data to Control Room in work item payloads and artifacts.

How are artifacts stored and transferred from Robocorp unattended worker to Robocorp Control Room?

Artifact storage is backed by Amazon S3, and data is encrypted at rest using AWS-provided methods. Artifacts are transferred securely over HTTPS using short-lived S3 pre-signed requests. You may consider implementing application-level encryption as an additional security measure; however, Robocorp does not currently include any specific tooling for this purpose.

Assistants (attended robots)

The unattended worker concept serves the unattended robot use cases where Control Room handles the triggering. The end-user always triggers the Assistants.

September 14, 2021