This method describes the process of configuring AWS access by creating and using access keys for IAM users. It enables AWS access across all installation methods. Don’t forget to add AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to the c8-secret during installation.
Please refer to the official AWS documentation about creating access keys for IAM users
Important As a best practice, use temporary security credentials (such as IAM roles) instead of creating long-term credentials like access keys.
Download the IAM policy that grants read permissions to all AWS resources:
curl -o sh-c8-discovery-policy.json https://configure8-resources.s3.us-east-2.amazonaws.com/iam/sh-c8-discovery-policy.json
Create the IAM policy:
aws iam create-policy --policy-name sh-c8-discovery-policy --policy-document file://sh-c8-discovery-policy.json
Create an IAM role that can be assumed by EC2 roles:
| Name | Description |
|---|---|
| $account_id | The AWS account id from which you want to allow run discovery |
| $iam_user | The AWS IAM user name from which you want to allow run discovery |
# Generate a JSON file for the trust relationship
cat >trust-relationship.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${account_id}:user/${iam_user}"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role --role-name sh-c8-discovery --assume-role-policy-document file://trust-relationship.json --description "sh-c8-discovery"
aws iam attach-role-policy --role-name sh-c8-discovery --policy-arn=arn:aws:iam::${account_id}:policy/sh-c8-discovery-policy
Note If you want to discover more AWS accounts, please repeat the 2nd step for each account.
Important Don’t forget to add the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY variables to the c8-secret.