Skip to main content

Configure Amazon Web Services Access

The Amazon Web Services (AWS) collector is configured within the Resoto Worker configuration via the config command in Resoto Shell:

> config edit resoto.worker

Add aws to the list of collectors by modifying the configuration as follows:

resotoworker:
...
# List of collectors to run
collector:
- 'aws'
...
...

Authentication

Resoto supports the authentication mechanisms described in the Boto3 SDK documentation. You can authenticate with AWS via the environment, an instance profile, an access key, or profiles.

Environment

note

Resoto is meant to run unattended on a server using a service account or instance profile. Resoto supports the same environment variables that the AWS Command-Line Interface does (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, AWS_ROLE_ARN, AWS_WEB_IDENTITY_TOKEN_FILE, AWS_ROLE_SESSION_NAME, etc.).

When using temporary credentials, however, they should be written to the credentials or config file and updated out-of-band instead of using environment variables, because the resotoworker process starts once and then runs forever (updated environment variables are only reflected upon restart).

You can specify a profile using AWS_PROFILE and, for local testing, SSO authentication would work as well. However, when Resoto is running unattended in a production environment, SSO credentials that require opening a browser window would not work.

  1. Set the required environment variables (e.g., AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY):

    • Add environment variable definitions to the resotoworker service in docker-compose.yaml:

      docker-compose.yaml
      services:
      ...
      resotoworker:
      environment:
      - AWS_ACCESS_KEY_ID=AKIAZGZKXXXXXXXXXXXX
      - AWS_SECRET_ACCESS_KEY=vO51EW/8ILMGrSBV/Ia9Fov6xZnKxxxxxxxxxxxx
      ...
      ...
    • Recreate the resotoworker container with the updated service definition:

      $ docker compose up -d
  2. Open the Resoto Worker configuration via the config command in Resoto Shell:

    > config edit resoto.worker
  3. Modify the aws section of the configuration as follows, making sure that aws.access_key_id and aws.secret_access_key are set to null:

    Resoto Worker configuration
    resotoworker:
    ...
    ...
    aws:
    # AWS Access Key ID (null to load from env - recommended)
    access_key_id: null
    # AWS Secret Access Key (null to load from env - recommended)
    secret_access_key: null
    ...

Access Key

You can define an access key directly in the Resoto configuration.

note

The configuration is visible to anyone with access to Resoto. You can alternatively define an access key via environment variables.

  1. Open the Resoto Worker configuration via the config command in Resoto Shell:

    > config edit resoto.worker
  2. Modify the aws section of the configuration as follows:

    Resoto Worker configuration
    resotoworker:
    ...
    ...
    aws:
    # AWS Access Key ID (null to load from env - recommended)
    access_key_id: 'AKIAZGZKXXXXXXXXXXXX'
    # AWS Secret Access Key (null to load from env - recommended)
    secret_access_key: 'vO51EW/8ILMGrSBV/Ia9Fov6xZnKxxxxxxxxxxxx'
    ...

Instance Profile

  1. Configure an instance profile.

  2. Create a file ~/.aws/credentials with the credentials for the created instance profile:

    ~/.aws/credentials
    [default]
    region = us-west-2

    role_arn = arn:aws:iam::235059640852:role/Resoto
    external_id = a5eMybsyGIowimdZqpZWxxxxxxxxxxxx
    credential_source = Ec2InstanceMetadata
  3. Make your credentials file available to Resoto at /home/resoto/.aws:

    • Add the following volume definition to the resotoworker service in docker-compose.yaml:

      docker-compose.yaml
      services:
      ...
      resotoworker:
      image: somecr.io/someengineering/resotoworker:edge
      container_name: resotoworker
      ...
      volumes:
      - $HOME/.aws/credentials:/home/resoto/.aws/credentials
      ...
      ...
    • Recreate the resotoworker container with the updated service definition:

      $ docker compose up -d
  4. Open the Resoto Worker configuration via the config command in Resoto Shell:

    > config edit resoto.worker
  5. Modify the aws section of the configuration as follows, making sure that aws.access_key_id and aws.secret_access_key are set to null:

    Resoto Worker configuration
    resotoworker:
    ...
    ...
    aws:
    # AWS Access Key ID (null to load from env - recommended)
    access_key_id: null
    # AWS Secret Access Key (null to load from env - recommended)
    secret_access_key: null
    ...

Profiles

  1. Create a file ~/.aws/credentials with the desired profiles:

    ~/.aws/credentials
    [production]
    aws_xxx = yyy

    [test]
    aws_xxx = yyy

    [dev]
    aws_xxx = yyy

    ...
  2. Make your credentials file available to Resoto at /home/resoto/.aws:

    • Add the following volume definition to the resotoworker service in docker-compose.yaml:

      docker-compose.yaml
      services:
      ...
      resotoworker:
      image: somecr.io/someengineering/resotoworker:edge
      ...
      volumes:
      - $HOME/.aws/credentials:/home/resoto/.aws/credentials
      ...
      ...
    • Recreate the resotoworker container with the updated service definition:

      $ docker compose up -d
  3. Modify the aws section of the configuration as follows, adding one or more profile names from your ~/.aws/credentials file:

    Resoto Worker configuration
    resotoworker:
    ...
    ...
    aws:
    ...
    profiles:
    - production
    - test
    - dev

    Profiles can be combined with other AWS options, such as aws.role and aws.scrape_org.

    note

    When switching from profiles to another authentication option, be sure to set the value of aws.profiles as null.

Resource Collection

By default, Resoto performs resource collection each hour. To immediately trigger a collect run, use the workflow run command in Resoto Shell:

> workflow run collect

Once the collect run completes, you can view a summary of collected AWS resources using the following search:

> search is(aws_resource) | count kind