steampipe plugin install awssteampipe plugin install aws

AWS + Steampipe

AWS provides on-demand cloud computing platforms and APIs to authenticated customers on a metered pay-as-you-go basis.

Steampipe is an open source CLI to instantly query cloud APIs using SQL.

For example:

| title | create_date | mfa_enabled |
| pam_beesly | 2005-03-24 21:30:00 | false |
| creed_bratton | 2005-03-24 21:30:00 | true |
| stanley_hudson | 2005-03-24 21:30:00 | false |
| michael_scott | 2005-03-24 21:30:00 | false |
| dwight_schrute | 2005-03-24 21:30:00 | true |


Get started


Download and install the latest AWS plugin:

steampipe plugin install aws


CredentialsSpecify a named profile from an AWS credential file with the profile argument.
PermissionsGrant the ReadOnlyAccess policy to your user or role.
RadiusEach connection represents a single AWS account.
Resolution1. Credentials specified in environment variables e.g. AWS_ACCESS_KEY_ID.
2. Credentials in the credential file (~/.aws/credentials) for the profile specified in the AWS_PROFILE environment variable.
3. Credentials for the Default profile from the credential file.
4. EC2 Instance Role Credentials (if running on an ec2 instance)
Region Resolution1. The AWS_DEFAULT_REGION or AWS_REGION environment variable
2. The region specified in the active profile (AWS_PROFILE or default).


Installing the latest aws plugin will create a config file (~/.steampipe/config/aws.spc) with a single connection named aws:

connection "aws" {
plugin = "aws"
profile = "default"
regions = ["us-east-1", "us-west-2"]

Get involved

Advanced configuration options

If you have a default profile setup using the AWS CLI Steampipe just works with that connection.

For users with multiple accounts and more complex authentication use cases, here are some examples of advanced configuration options:

The AWS plugin allows you set static credentials with the access_key, secret_key, and session_token arguments in any connection profile. You may also specify one or more regions with the regions argument. An AWS connection may connect to multiple regions, however be aware that performance may be negatively affected by both the number of regions and the latency to them.

Credentials via key pair

connection "aws_account_x" {
plugin = "aws"
secret_key = "gMCYsoGqjfThisISNotARealKeyVVhh"
regions = ["us-east-1" , "us-west-2"]

Credentials via AWS config profiles

Named profile from an AWS credential file with the profile argument. A connect per profile is a common configuration:

# credentials via profile
connection "aws_account_y" {
plugin = "aws"
profile = "profile_y"
regions = ["us-east-1", "us-west-2"]
# credentials via profile
connection "aws_account_z" {
plugin = "aws"
profile = "profile_z"
regions = ["ap-southeast-1", "ap-southeast-2"]

Credentials from environment variables

export AWS_DEFAULT_REGION=eu-west-1
export AWS_ROLE_SESSION_NAME=steampipe@myaccount

Credentials from an EC2 instance role

If you are running Steampipe on a AWS EC2 instance, and that instance has an instance profile attached then Steampipe will automatically use the associated IAM role without other credentials:

connection "aws" {
plugin = "aws"
regions = ["eu-west-1", "eu-west-2"]