Use case
You are in charge of several AWS accounts within an AWS Organisation and need to check the resources across these accounts. E.g., to check which are the configured runtimes for the lambdas.
Approach with Steampipe
Steampipe is a tool to query data from different providers. Among others, there is a plugin for AWS.
The big plus is that Steampipe provides the ability to query more than one account with a query with aggregator connection
This is how the result will look like for my AWS SSO accounts.
More about Steampipe and AWS: https://dev.to/aws-builders/easily-query-your-cloud-inventory-with-steampipe-2af3
Setup
It’s necessary to have a link between AWS CLI profiles and Steampipe connection for the AWS SSO accounts that can be recreated without any effects on the local setup, which is created inside a docker image. This docker image is based on Steampipe with additional installation of some tools, the AWS CLI and the AWS steampipe plugin.
Docker
FROM ghcr.io/turbot/steampipe
# Setup prerequisites (as root)
USER root:0
RUN apt-get update -y \
&& apt-get install -y git curl unzip jq
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
&& unzip awscliv2.zip \
&& ./aws/install \
&& rm -rf awscliv2.zip ./aws
# Install the aws and steampipe plugins for Steampipe (as steampipe user).
USER steampipe:0
RUN steampipe plugin install steampipe aws
The Steampipe docu is here: https://steampipe.io/docs/managing/containers
After creating the image with docker build -t steampipe-query .. The container can be created with the following command.
docker run --entrypoint /bin/bash -it \
--mount type=bind,source="${PWD}/queries",target=/workspace/queries \
--mount type=bind,source="${PWD}/scripts",target=/workspace/scripts \
--mount type=bind,source="${PWD}/.env",target=/workspace/.env \
--name steampipe-query \
steampipe-query
These are the commands to use the container again docker start -a steampipe-query and docker exec -it steampipe-query /bin/bash.
Queries
One of the mount points was the folder queries, which contain, in this example, the SQL to check the lambda runtime.
select
account_id,
_ctx ->> 'connection_name' as connection_name,
runtime,
count(*),
SUM(COUNT(*)) OVER() AS total_count
from
aws_all.aws_lambda_function
where runtime not in ('nodejs18.x', 'nodejs16.x', 'python3.9')
group by
account_id,
_ctx,
runtime
order by
connection_name,
runtime,
count;
The command to run this query is steampipe query queries/lambda-runtime.sql. This will work after the scripts have created the profiles and connections config.
Scripts
The other mount points are scripts and the env file. The first step is to set the needed env variable values and then run the script ./scripts/create-aws-config.sh inside the container, which creates the file ~/.aws/config with SS0 session values.
SSO_START_URL= # https://<your-aws-account-id>.awsapps.com/start
SSO_SESSION_NAME= # <your session name, it's just a name>
SSO_REGION= # <your region, e.g. us-east-1>
As next step source the env file with source .env to get the value for the session name. Than run the login to aws sso with the command aws sso login --sso-session $SSO_SESSION_NAME.
It will look like this.
Open the link in the browser and put in the code.
Then, allow the access.
After it’s confirmed, you can create profiles with the script ./scripts/create-aws-profiles.sh inside the container. This will create a profile for each account in the aws config file ~/.aws/config (after confirmation) with a suffix of the assigned roles for the accounts.
The scipt is adapted from this gist: https://gist.github.com/lukeplausin/3cfedc29755e184ef526b504c77ffe70
The last step for the setup is to create the connections for Steampipe with the script ./scripts/create-aws-connections.sh inside the container. This will create a connection for each profile in the AWS config file ~/.aws/config. Not every role is allowed to query the data, so it’s necessary to set the env variable ALLOWED_ROLES with the roles allowed to query the data. The roles are comma-separated. E.g.
ALLOWED_ROLES="AWSReadOnlyAccess,AWSAdministratorAccess"
And now it’s possible to run the queries with steampipe 🥳
Code
JohannesKonings
/
aws-sso-steampipe
Setup with Docker for AWS SSO Steampipe queries
aws-sso-steampipe
docker build -t steampipe-query .
docker run --entrypoint /bin/bash -it \
--mount type=bind,source="${PWD}/queries",target=/workspace/queries \
--mount type=bind,source="${PWD}/scripts",target=/workspace/scripts \
--mount type=bind,source="${PWD}/.env",target=/workspace/.env \
--name steampipe-query \
steampipe-query
docker start -a steampipe-query
docker exec -it steampipe-query /bin/bash
aws sso login --sso-session $SSO_SESSION_NAME
steampipe query queries/lambda-runtime.sql
Top comments (1)
Just found some scripts from Steampipe: github.com/turbot/steampipe-sample...
Maybe they can replace some of the described scripts.