steampipe plugin install aws

Table: aws_ram_principal_association - Query AWS RAM Principal Associations using SQL

The AWS RAM Principal Association is a component of AWS Resource Access Manager (RAM) that enables you to share your resources with any AWS account or within your AWS Organization. It allows you to centrally manage who can access your shared resources, thereby improving the efficiency and security of your cross-account resource sharing. This simplifies the process of sharing your resources while maintaining the existing resource permissions.

Table Usage Guide

The aws_ram_principal_association table in Steampipe provides you with information about principal associations within AWS Resource Access Manager (RAM). This table allows you, as a DevOps engineer, to query principal-specific details, including resource share ARN, principal ARN, creation time, and associated tags. You can utilize this table to gather insights on principal associations, such as their status, external status, and more. The schema outlines the various attributes of the principal association for you, including the resource share ARN, principal ARN, creation time, and associated tags.

Examples

Basic info

Explore which AWS Resource Access Manager (RAM) principals are associated with your resources to determine their current status. This could be useful in managing resource permissions and identifying any potential issues.

select
resource_share_name,
resource_share_arn,
associated_entity,
status
from
aws_ram_principal_association;
select
resource_share_name,
resource_share_arn,
associated_entity,
status
from
aws_ram_principal_association;

List permissions attached with each principal associated

This query is used to gain insights into the permissions linked with each principal associated in AWS Resource Access Manager. It is useful for reviewing the configuration of access controls and ensuring appropriate permissions are in place.

select
resource_share_name,
resource_share_arn,
associated_entity,
p ->> 'Arn' as resource_share_permission_arn,
p ->> 'Status' as resource_share_permission_status
from
aws_ram_principal_association,
jsonb_array_elements(resource_share_permission) p;
select
resource_share_name,
resource_share_arn,
associated_entity,
json_extract(p.value, '$.Arn') as resource_share_permission_arn,
json_extract(p.value, '$.Status') as resource_share_permission_status
from
aws_ram_principal_association,
json_each(resource_share_permission) as p;

Get principals that failed association

Identify instances where the association of principals to resources within AWS Resource Access Manager (RAM) has failed. This can be useful in troubleshooting and resolving access issues within your AWS environment.

select
resource_share_name,
resource_share_arn,
associated_entity,
status
from
aws_ram_principal_association
where
status = 'FAILED';
select
resource_share_name,
resource_share_arn,
associated_entity,
status
from
aws_ram_principal_association
where
status = 'FAILED';

Schema for aws_ram_principal_association

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
associated_entitytextThe ID of an Amazon Web Services account/The Amazon Resoure Name (ARN) of an organization in Organizations/The ARN of an organizational unit (OU) in Organizations/The ARN of an IAM role The ARN of an IAM user.
association_typetextThe type of entity included in this association.
creation_timetimestamp with time zoneThe date and time when the association was created.
externalbooleanIndicates whether the principal belongs to the same organization in Organizations as the Amazon Web Services account that owns the resource share.
last_updated_timetimestamp with time zoneThe date and time when the association was last updated..
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
resource_share_arntextThe Amazon Resoure Name (ARN) of the resource share.
resource_share_nametextThe name of the resource share.
resource_share_permissionjsonbInformation about an RAM permission that is associated with a resource share and any of its resources of a specified type.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
statustextThe current status of the association.
status_messagetextA message about the status of the association.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_ram_principal_association