How to Collect AWS Resource Data

The Amazon Web Services (AWS) collector is configured within the Fix Inventory Worker configuration via the config command in Fix Inventory Shell.

Prerequisites

This guide assumes that you have already installed Fix Inventory.

Directions

1. Enable the AWS Collector

1. Open the Fix Inventory Worker configuration via the config command in Fix Inventory Shell:

   > config edit fix.worker

2. Add aws to the list of collectors by modifying the configuration as follows:

   fixworker:
     ...
     # List of collectors to run
     collector:
       - 'aws'
       ...
   ...

2. Authenticate with AWS

Fix Inventory supports the authentication mechanisms described in the Boto3 SDK documentation. You can authenticate with AWS via an instance profile, an access key, or profiles. These credentials can be defined in the Fix Inventory Worker configuration or as environment variables.

Fix Inventory Worker Configuration

Instance Profile

1. Configure an instance profile.

2. Open the Fix Inventory Worker configuration via the config command in Fix Inventory Shell:

   > config edit fix.worker

3. Add the contents of your credentials file to the fixworker section of the configuration as follows:

   Fix Inventory Worker configuration

   fixworker:
     ...
     write_files_to_home_dir:
       - path: ~/.aws/credentials
         content: |
           [default]
           region = us-west-2
   
           role_arn = arn:aws:iam::235059640852:role/Fix Inventory
           external_id = a5eMybsyGIowimdZqpZWxxxxxxxxxxxx
           credential_source = Ec2InstanceMetadata
   ...
   note

   If you do not wish to save the contents of your credentials file to Fix Inventory's database, you can alternatively mount the ~/.aws directory to the fixworker container.

   info

   Since Fix Inventory is running on your local machine, it can access the credentials file directly at ~/.aws/credentials.

4. Modify the aws section of the configuration as follows, making sure that aws.access_key_id and aws.secret_access_key are set to null:

   Fix Inventory Worker configuration

   fixworker:
     ...
   ...
   aws:
     # AWS Access Key ID (null to load from env - recommended)
     access_key_id: null
     # AWS Secret Access Key (null to load from env - recommended)
     secret_access_key: null
     ...

Access Key

note

Access keys in the configuration are visible to anyone with access to your Fix Inventory instance. You can alternatively define the access key via environment variables.

1. Open the Fix Inventory Worker configuration via the config command in Fix Inventory Shell:

   > config edit fix.worker

2. Modify the aws section of the configuration as follows:

   Fix Inventory Worker configuration

   fixworker:
     ...
   ...
   aws:
     # AWS Access Key ID (null to load from env - recommended)
     access_key_id: 'AKIAZGZKXXXXXXXXXXXX'
     # AWS Secret Access Key (null to load from env - recommended)
     secret_access_key: 'vO51EW/8ILMGrSBV/Ia9Fov6xZnKxxxxxxxxxxxx'
     ...

Profiles

1. Create a file ~/.aws/credentials with the desired profiles:

   ~/.aws/credentials

   [production]
   aws_xxx = yyy
   
   [test]
   aws_xxx = yyy
   
   [dev]
   aws_xxx = yyy
   
   ...

2. Open the Fix Inventory Worker configuration via the config command in Fix Inventory Shell:

   > config edit fix.worker

3. Add the contents of your credentials file to the fixworker section of the configuration as follows:

   Fix Inventory Worker configuration

   fixworker:
     ...
     write_files_to_home_dir:
       - path: ~/.aws/credentials
         content: |
           [default]
           region = us-west-2
   
           role_arn = arn:aws:iam::235059640852:role/Fix Inventory
           external_id = a5eMybsyGIowimdZqpZWxxxxxxxxxxxx
           credential_source = Ec2InstanceMetadata
   ...
   note

   If you do not wish to save the contents of your credentials file to Fix Inventory's database, you can alternatively mount the ~/.aws directory to the fixworker container.

   info

   Since Fix Inventory is running on your local machine, it can access the credentials file directly at ~/.aws/credentials.

4. Modify the aws section of the configuration as follows, adding one or more profile names from your ~/.aws/credentials file:

   Fix Inventory Worker configuration

   fixworker:
     ...
   ...
   aws:
     ...
     profiles:
       - production
       - test
       - dev

   Profiles can be combined with other AWS options, such as aws.role and aws.scrape_org.

   note

   When switching from profiles to another authentication option, be sure to set the value of aws.profiles as null.

Environment Variables

note

Fix Inventory is meant to run unattended on a server using a service account or instance profile. Fix Inventory supports the same environment variables that the AWS Command-Line Interface does (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, AWS_ROLE_ARN, AWS_WEB_IDENTITY_TOKEN_FILE, AWS_ROLE_SESSION_NAME, etc.).

When using temporary credentials, however, they should be written to the credentials or config file and updated out-of-band instead of using environment variables. This is because the fixworker process starts once and then runs forever (i.e., updated environment variables are only reflected upon restart).

You can specify a profile using AWS_PROFILE and, for local testing, SSO authentication would work as well. However, when Fix Inventory is running unattended in a production environment, SSO credentials that require opening a browser window would not work.

1. Set the required environment variables (e.g., AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY):

   • Add environment variable definitions to the fixworker service in docker-compose.yaml:

     docker-compose.yaml

     services:
       ...
       fixworker:
         environment:
           - AWS_ACCESS_KEY_ID=AKIAZGZKXXXXXXXXXXXX
           - AWS_SECRET_ACCESS_KEY=vO51EW/8ILMGrSBV/Ia9Fov6xZnKxxxxxxxxxxxx
       ...
     ...

   • Recreate the fixworker container with the updated service definition:

     $ docker-compose up -d
     note

     Docker Compose V2 integrated compose functions in to the Docker platform.

     In Docker Compose V2, the command is docker compose (no hyphen) instead of docker-compose.

2. Open the Fix Inventory Worker configuration via the config command in Fix Inventory Shell:

   > config edit fix.worker

3. Modify the aws section of the configuration as follows, making sure that aws.access_key_id and aws.secret_access_key are set to null:

   Fix Inventory Worker configuration

   fixworker:
     ...
   ...
   aws:
     # AWS Access Key ID (null to load from env - recommended)
     access_key_id: null
     # AWS Secret Access Key (null to load from env - recommended)
     secret_access_key: null
     ...

3. Authorize Fix Inventory Access to AWS

See How to Roll Out Fix Inventory AWS Permissions with CloudFormation for a step-by-step guide on how to roll out Fix Inventory permissions organization-wide.

info

If you prefer to deploy the role yourself, the S3 URL of the template to create the FixInventoryAccess role is https://fixinventorypublic.s3.amazonaws.com/cf/fixinventory-role.template.

4. Trigger Resource Collection

1. By default, Fix Inventory performs resource collection each hour. To immediately trigger a collect run, use the workflow run command in Fix Inventory Shell:

   > workflow run collect

2. Once the collect run completes, you can view a summary of collected AWS resources using the following search:

   > search is(aws_resource) | count kind