steampipe plugin install guardrailssteampipe plugin install guardrails

Turbot Guardrails + Steampipe

Turbot Guardrails is the leading platform for policy-based control and automatic remediation of enterprise clouds.

Steampipe is an open source CLI to instantly query cloud APIs using SQL.

For example:

| trunk_title | uri |
| Turbot > IAM > Access Key | tmod:@turbot/turbot-iam#/resource/types/accessKey |
| GCP > Monitoring > Alert Policy | tmod:@turbot/gcp-monitoring#/resource/types/alertPolicy |
| AWS > IAM > Access Key | tmod:@turbot/aws-iam#/resource/types/accessKey |
| AWS > EC2 > AMI | tmod:@turbot/aws-ec2#/resource/types/ami |
| AWS > SSM > Association | tmod:@turbot/aws-ssm#/resource/types/association |
| GCP > Network > Address | tmod:@turbot/gcp-network#/resource/types/address |


Get started


Download and install the latest Turbot Guardrails plugin:

steampipe plugin install guardrails


Installing the latest guardrails plugin will create a config file (~/.steampipe/config/guardrails.spc) with a single connection named guardrails. By default, Steampipe will use your Turbot Guardrails profiles and credentials exactly the same as the Turbot Guardrails CLI and Turbot Guardrails Terraform provider. In many cases, no extra configuration is required to use Steampipe.

connection "guardrails" {
plugin = "guardrails"

Advanced configuration options

If you have a default profile setup using the Turbot Guardrails CLI, Steampipe just works with that connection.

For users with multiple workspaces and more complex authentication use cases, here are some examples of advanced configuration options:

Credentials via key pair

The Turbot Guardrails plugin allows you to set static credentials with the access_key, secret_key, and workspace arguments in any connection profile.

connection "guardrails" {
plugin = "guardrails"
access_key = "c8e2c2ed-1ca8-429b-b369-010e3cf75aac"
secret_key = "a3d8385d-47f7-40c5-a90c-bfdf5b43c8dd"
workspace = "https://turbot-acme.cloud.turbot.com/"

Credentials via Turbot Guardrails config profiles

You can use an existing Turbot Guardrails named profile configured in /Users/jsmyth/.config/turbot/credentials.yml. A connect per workspace is a common configuration:

connection "guardrails_acme" {
plugin = "guardrails"
profile = "turbot-acme"
connection "guardrails_dmi" {
plugin = "guardrails"
profile = "turbot-dmi"

Credentials from environment variables

Environment variables provide another way to specify default Turbot Guardrails CLI credentials:

export TURBOT_SECRET_KEY=3d397816-575f-4b2a-a470-a96abe29b81a
export TURBOT_ACCESS_KEY=86835f29-1c88-46d9-b6ce-cbe5016842d3
export TURBOT_WORKSPACE=https://turbot-acme.cloud.turbot.com

You can also change the default profile to a named profile with the TURBOT_PROFILE environment variable:

export TURBOT_PROFILE=turbot-acme

Get involved