--- name: setup-service-scanner description: | Creates a scanner configuration to discover services (such as AI agents, MCP servers, and API metadata) from external platforms like AWS Bedrock, Microsoft Copilot, or Google Vertex AI. Use when setting up scanner discovery, configuring a new scanner, connecting to cloud AI platforms, or importing discovered services into Anypoint Exchange. --- > **Agent context:** For execution instructions, authentication, input types, and x-origin resolution, read [https://dev-portal.mulesoft.com/AGENTS.md](https://dev-portal.mulesoft.com/AGENTS.md). # Set Up a Scanner ## Overview Creates a complete scanner configuration that can discover and import services (such as AI agents, MCP servers, and API metadata) from external platforms into Anypoint Exchange. This involves selecting a target system, validating credentials, and configuring the scanner. **What you'll build:** A fully configured scanner that can discover services from your chosen cloud platform (AWS Bedrock, Microsoft Copilot, Google Vertex AI, etc.) ## Prerequisites Before starting, ensure you have: 1. **Anypoint Platform Access** - Valid Anypoint Platform account with appropriate permissions - Organization ID for your Business Group 2. **Cloud Platform Credentials** - Credentials for the external platform you want to scan (e.g., AWS access keys, Azure credentials, Google service account) - Network access to the target platform's APIs 3. **Permissions** - Permission to create scanner configurations in your organization - Permission to store credentials securely ## Step 1: Get Available Target Systems First, retrieve the list of available target systems to see which platforms you can scan. **What you'll need:** - Your organization ID **Action:** Call the Scanners Configuration API to list available target systems for your organization. ```yaml api: urn:api:agent-scanner-configuration-service operationId: getTargetSystems inputs: organizationId: from: api: urn:api:access-management operation: getOrganizations field: $.id name: currentOrganization description: Your organization's Business Group GUID outputs: - name: targetSystemId path: $[*].id labels: $[*].name description: The target system ID to use when creating a connection - name: targetSystemType path: $[*].type description: The target system type (e.g., bedrock, mscopilot, vertex) ``` **What happens next:** You receive a list of available target systems with their IDs, names, and supported authentication schemes. Choose the one matching your cloud platform. **Common issues:** - **401 Unauthorized**: Verify your authorization token is valid - **Empty list**: Your organization may not have access to certain target systems ## Step 2: Validate Connection Credentials Validate the credentials you plan to use for scanner configuration. **What you'll need:** - Target system type from Step 1 - Authentication credentials for the platform (varies by target system) **Action:** Test connectivity with your platform credentials. ```yaml api: urn:api:agent-scanner-configuration-service operationId: testConnection inputs: organizationId: from: variable: organizationId description: Same organization ID as Step 1 targetSystemType: from: variable: targetSystemType description: Target system type from Step 1 (for example, bedrock, mscopilot, vertex) requestBody: userProvided: true description: | Connection test parameters including: - authScheme: Authentication scheme (e.g., "accessKey", "oauth2") - authParameters: JSON with credentials (varies by platform) example: | { "authScheme": "accessKey", "authParameters": "{\"accessKeyId\":\"...\",\"secretAccessKey\":\"...\",\"region\":\"us-east-1\"}" } outputs: [] ``` **What happens next:** You confirm whether the credentials are valid before creating the scanner configuration. **Common issues:** - **400 Bad Request**: Check that authParameters JSON is valid and contains required fields - **424 Failed Dependency**: Target platform rejected or could not validate the credentials ## Step 3: Create Scanner Configuration Create the scanner configuration that will use your connection to discover services. **What you'll need:** - Target system ID from Step 1 - Authentication details validated in Step 2 - A name and schedule for the scanner **Action:** Create the scanner configuration. ```yaml api: urn:api:agent-scanner-configuration-service operationId: createScanConfigurations inputs: organizationId: from: variable: organizationId description: Same organization ID as previous steps requestBody: userProvided: true description: | Scanner configuration including: - name: Display name for the scanner - schedule: JSON schedule configuration - runPolicy: JSON run policy (can be empty object) - connection: Object with connection details - notificationEnabled: Whether to send email notifications example: | { "name": "My Bedrock Scanner", "description": "Scans AWS Bedrock for services such as AI agents", "schedule": "{\"frequency\":\"daily\",\"time\":\"02:00\"}", "runPolicy": "{}", "connection": { "targetSystemId": "target-system-uuid-from-step-1", "authScheme": "accessKey", "authParameters": "{\"accessKeyId\":\"...\",\"secretAccessKey\":\"...\",\"region\":\"us-east-1\"}" }, "notificationEnabled": false } outputs: - name: scannerConfigurationId path: $.id description: The UUID of the created scanner configuration - name: scannerState path: $.state description: The current state of the scanner (e.g., SCHEDULED, STOPPED) ``` **What happens next:** The scanner configuration is created. Depending on the schedule, it will automatically run at the configured times, or you can trigger it manually. ## Completion Checklist After completing all steps, verify: - [ ] Target system was selected from available options - [ ] Credentials were validated successfully - [ ] Scanner configuration was created successfully - [ ] Scanner state shows as SCHEDULED or STOPPED (ready to run) ## What You've Built Your scanner configuration now has: **Connection to External Platform** - Secure credential storage - Connection to your chosen cloud platform **Configured Scanner** - Named scanner configuration - Scheduled or manual execution - Ready to discover services such as AI agents, MCP servers, and API metadata ## Next Steps Now that your scanner is configured: 1. **Run the scanner manually** - Use the "Run Scan and View Results" skill to execute immediately 2. **Monitor scheduled runs** - Check the scanner run history for automated executions 3. **Review discovered services** - View staging assets to see discovered services before publication ## Tips and Best Practices ### Security - **Rotate credentials regularly**: Update connection credentials periodically - **Use least-privilege access**: Only grant the minimum permissions needed for scanning ### Scheduling - **Off-peak hours**: Schedule scans during low-traffic periods - **Frequency**: Daily scans are typically sufficient for most use cases ## Troubleshooting ### Connection Validation Fails **Symptoms:** Credential validation request fails or returns a dependency error **Possible causes:** - Invalid credentials - Network connectivity issues - Insufficient permissions on the target platform **Solutions:** - Verify credentials are correct and not expired - Check network/firewall rules allow access to the platform APIs - Ensure the credentials have read access to list services ### Scanner Configuration Creation Fails **Symptoms:** 400 Bad Request when creating scanner configuration **Possible causes:** - Invalid schedule JSON format - Missing required fields - Invalid connection/auth payload structure **Solutions:** - Validate schedule JSON syntax - Ensure all required fields (name, schedule, runPolicy) are provided - Verify the connection payload fields and credential format ## Related Jobs - **run-service-scan-and-view-results**: Execute a scan and view discovered services