Exec + Steampipe
Execute commands locally or on remote Linux and Windows hosts through SSH or WinRM.
Steampipe is an open-source zero-ETL engine to instantly query cloud APIs using SQL.
For example:
select outputfrom exec_commandwhere command = 'df -h';+------------------------------------------------------+| output |+------------------------------------------------------+| Filesystem Size Used Avail Use% Mounted on || /dev/root 7.6G 3.4G 4.3G 44% / || tmpfs 483M 0 483M 0% /dev/shm || tmpfs 194M 872K 193M 1% /run || tmpfs 5.0M 0 5.0M 0% /run/lock || /dev/xvda15 105M 5.3M 100M 5% /boot/efi || tmpfs 97M 4.0K 97M 1% /run/user/1001 |+------------------------------------------------------+Documentation
Get started
Install
Download and install the latest Exec plugin:
steampipe plugin install execCredentials
| Item | Description |
|---|---|
| Credentials | Local connection does not require credentials. For Linux remote connections, the plugin supports SSH private key authentication or password. For Windows remote connections, the plugin supports password authentication. |
| Permissions | As the connection to host relies on SSH or WinRM, the user must have the necessary permissions to connect to the host. |
| Radius | Each connection represents a single Exec Installation. |
| Resolution | 1. With configuration provided in connection in steampipe .spc config file. 2. An exec.yaml file in a .exec folder in the current user's home directory (~/.exec/exec.yaml or %userprofile.exec\exec.yaml). |
Configuration
There are multiple ways to configure the plugin depending on the type of connection you want to use. Bellows are some examples of how to configure the most common connections.
Local connection
connection "exec_local" { plugin = "exec"}Remote Linux connection through SSH
connection "exec_remote_linux" { plugin = "exec"
protocol = "ssh" host = "my-remote-linux-host" user = "my-username" private_key = "~/.ssh/my-remote-linux-host.pem"}Remote Windows connection through WinRM
connection "exec_remote_windows" { plugin = "exec"
protocol = "winrm" host = "18.228.214.45" port = 5985 user = "Administrator" password = "rh=PM76t54nouv&dqwe3cNM7J1(*skZhh*"}Remote Windows connection through WinRM ignoring certificate validation
connection "exec_remote_windows" { plugin = "exec"
protocol = "winrm" host = "18.228.214.45" https = true port = 5986 insecure = true user = "Administrator" password = "rh=PM76t54nouv&dqwe3cNM7J1(*skZhh*"}Remote Linux connection through SSH with in-file private key
connection "exec_remote_linux" { plugin = "exec"
protocol = "ssh" host = "my-remote-linux-host" user = "my-username" private_key = <<EOK-----BEGIN RSA PRIVATE KEY-----... snipped ...-----END RSA PRIVATE KEY-----EOK}Remote Linux connection through SSH with password
connection "exec_remote_linux" { plugin = "exec" protocol = "ssh" host = "my-remote-linux-host" user = "my-username" password = "my-password"}Remote Linux connection through SSH via bastion host
connection "production" { plugin = "exec"
protocol = "ssh" host = "172.31.40.195" user = "ubuntu" private_key = "~/.ssh/my-remote-linux-host.pem" bastion_user = "ubuntu" bastion_host = "52.67.221.206" bastion_port = 22 bastion_private_key = "~/.ssh/my-bastion-host.pem"}Remote Linux connection through SSH over proxy
connection "staging" { plugin = "exec" protocol = "ssh" host = "52.67.221.206" user = "ubuntu" private_key = "~/.ssh/my-remote-linux-host.pem"
proxy_host = "10.10.10.200" proxy_port = 8080 proxy_user_name = "luis" proxy_user_password = "c@v41c@nt3"}Remote Linux connection through SSH via bastion host over proxy
connection "production" { plugin = "exec"
protocol = "ssh" host = "172.31.40.195" user = "ubuntu" private_key = "~/.ssh/my-remote-linux-host.pem"
bastion_user = "ubuntu" bastion_host = "52.67.221.206" bastion_port = 22 bastion_private_key = "~/.ssh/my-bastion-host.pem"
proxy_host = "10.10.10.200" proxy_port = 8080 proxy_user_name = "luis" proxy_user_password = "c@v41c@nt3"}Remote connection to multiple hosts
Here we are using aggregators to run the same query on multiple hosts. The staging_servers connection is an aggregator connection that will run the same query on all connections that match the *-staging pattern. The server1-staging and server2-staging connections are the actual connections to the remote hosts.
So, for example, if you run steampipe query "select * from staging_servers.exec_command where command = 'uname -a';" it will run the query on both server1-staging and server2-staging connections.
You can still run queries on individual connections, for example steampipe query "select * from server1-staging.exec_command where command = 'uname -a';" will only run the query on server1-staging.
connection "staging_servers" { plugin = "exec" type = "aggregator" connections = [ "*-staging" ]}
connection "server1-staging" { plugin = "exec"
protocol = "ssh" host = "my-remote-linux-host" user = "my-username" private_key = "~/.ssh/my-remote-linux-host.pem"}
connection "server2-staging" { plugin = "exec"
protocol = "ssh" host = "my-remote-linux-host" user = "my-username" private_key = "~/.ssh/my-remote-linux-host.pem"}Local connection using a specific interpreter
ZSH interpreter
connection "exec_local" { plugin = "exec" interpreter = ["/bin/zsh", "-c"]}Python3 interpreter
connection "exec_local" { plugin = "exec" interpreter = ["/bin/python3", "-c"]}Perl interpreter
connection "exec_local" { plugin = "exec" interpreter = ["/bin/perl", "-e"]}Pro-tip: If you are going to use multiple interpreters, you can name the connection name to reflect the interpreter used. For example,
connection "exec_local_bash" { ... }orconnection "exec_local_python" { ... }etc.
Limiting concurrent connections
For each query (command) executed, this plugin opens a new SSH/WinRM connection. If you are running a lot of queries against the same host, these connection attempts may be seen as abusive activity.
To reduce the chance of getting flagged, the plugin has a default max_concurrency limiter set to 15. However, this limiter can be toggled by defining a limiter resource in your exec.spc configuration file:
connection "exec_local" { plugin = "exec" working_dir = "."}
plugin "exec" { limiter "exec_global" { max_concurrency = 15 }}Postgres FDW
This plugin is available as a native Postgres FDW. Unlike Steampipe CLI, which ships with an embedded Postgres server instance, the Postgres FDW can be installed in any supported Postgres database version.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_postgres_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/postgres.sh)" -- execThe installer will prompt you for the plugin name and version, download and install the appropriate files for your OS, system architecture, and Postgres version.
To configure the Postgres FDW, you will create an extension, foreign server, and schema and import the foreign schema.
CREATE EXTENSION IF NOT EXISTS steampipe_postgres_exec;CREATE SERVER steampipe_exec FOREIGN DATA WRAPPER steampipe_postgres_exec OPTIONS (config '<your_config>');CREATE SCHEMA exec;IMPORT FOREIGN SCHEMA exec FROM SERVER steampipe_exec INTO exec;SQLite Extension
This plugin is available as a SQLite Extension, making the tables available as SQLite virtual tables.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_sqlite_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/sqlite.sh)" -- execThe installer will prompt you for the plugin name, version, and destination directory. It will then determine the OS and system architecture, and it will download and install the appropriate package.
To configure the SQLite extension, load the extension module and then run the steampipe_configure_exec function to configure it with plugin-specific options.
$ sqlite3sqlite> .load ./steampipe_sqlite_extension_exec.sosqlite> select steampipe_configure_exec('<your_config>');Export
This plugin is available as a standalone Export CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- execYou can pass the configuration to the command with the --config argument:
steampipe_export_exec --config '<your_config>' <table_name>