4b6817381b
Benchmark image — build + push to ECR (any adapter) / build + push (push) Waiting to run
CI / quality (ubuntu-latest) (push) Waiting to run
CI / test (tools-runtime) (push) Waiting to run
CI / test (e2e-general) (push) Waiting to run
CI / test (cli-runtime) (push) Waiting to run
CI / test (e2e-provider-and-openclaw) (push) Waiting to run
CI / test (integrations-and-misc) (push) Waiting to run
CI / coverage-report (push) Blocked by required conditions
CI / test-kubernetes (push) Waiting to run
CI / should-run-thorough (push) Waiting to run
CI / test-thorough (cloudwatch-demo) (push) Blocked by required conditions
CI / test-thorough (flink-ecs) (push) Blocked by required conditions
CI / test-thorough (upstream-lambda) (push) Blocked by required conditions
CI / test-thorough (prefect-ecs-fargate) (push) Blocked by required conditions
CodeQL / Analyze (python) (push) Waiting to run
Release / build-binaries (zip, opensre.exe, onefile, windows-latest, windows-x64) (push) Blocked by required conditions
Release / publish-release (push) Blocked by required conditions
Release / publish-main-release (push) Blocked by required conditions
Release / prepare (push) Waiting to run
Release / verify (push) Blocked by required conditions
Release / build-python-dist (push) Blocked by required conditions
Release / build-binaries (tar.gz, opensre, onedir, macos-15-intel, darwin-x64) (push) Blocked by required conditions
Release / build-binaries (tar.gz, opensre, onedir, macos-latest, darwin-arm64) (push) Blocked by required conditions
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04, linux-x64) (push) Blocked by required conditions
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04-arm, linux-arm64) (push) Blocked by required conditions
Synthetic Deterministic Tests / Synthetic offline (deterministic) (push) Waiting to run
Interactive Shell Live (PR + post-merge) / turn-checks (no-LLM) (push) Waiting to run
Interactive Shell Live (PR + post-merge) / turn-live shard ${{ matrix.shard_index }} (push) Waiting to run
CI (OpenClaw E2E) / openclaw test (push) Has been cancelled
118 lines
3.2 KiB
Plaintext
118 lines
3.2 KiB
Plaintext
---
|
|
title: "AWS"
|
|
description: "Connect AWS so OpenSRE can map your infrastructure and investigate cloud-related alerts"
|
|
---
|
|
|
|
OpenSRE uses AWS to map your environment: Lambda functions, EKS clusters, S3 buckets, and more. It reads infrastructure state to build investigation context when cloud-related alerts fire.
|
|
|
|
## Prerequisites
|
|
|
|
- AWS account with IAM permissions
|
|
- Either a role ARN (recommended) or static access keys
|
|
|
|
## Setup
|
|
|
|
### Option 1: Interactive CLI
|
|
|
|
```bash
|
|
opensre integrations setup
|
|
```
|
|
|
|
Select **AWS** when prompted and provide your credentials.
|
|
|
|
### Option 2: Environment variables (IAM role)
|
|
|
|
```bash
|
|
AWS_ROLE_ARN=arn:aws:iam::123456789012:role/OpenSREReadOnly
|
|
AWS_EXTERNAL_ID=your-external-id # optional
|
|
AWS_REGION=us-east-1
|
|
```
|
|
|
|
### Option 3: Environment variables (static keys)
|
|
|
|
```bash
|
|
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
|
|
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
|
|
AWS_SESSION_TOKEN=... # optional, for temporary credentials
|
|
AWS_REGION=us-east-1
|
|
```
|
|
|
|
| Variable | Default | Description |
|
|
| --- | --- | --- |
|
|
| `AWS_ROLE_ARN` | — | IAM role to assume (recommended) |
|
|
| `AWS_EXTERNAL_ID` | — | External ID for role assumption |
|
|
| `AWS_REGION` | `us-east-1` | AWS region |
|
|
| `AWS_ACCESS_KEY_ID` | — | Static access key (if not using role) |
|
|
| `AWS_SECRET_ACCESS_KEY` | — | Static secret key |
|
|
| `AWS_SESSION_TOKEN` | — | Session token for temporary credentials |
|
|
|
|
<Info>
|
|
Either `AWS_ROLE_ARN` or `AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY` is required.
|
|
</Info>
|
|
|
|
## IAM permissions
|
|
|
|
OpenSRE requires read-only access. Attach the following managed policies to the IAM role or user:
|
|
|
|
- `ReadOnlyAccess` (AWS managed) — or a custom policy scoped to the services you want OpenSRE to inspect
|
|
|
|
For least-privilege, the minimum services used are:
|
|
|
|
```json
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"sts:GetCallerIdentity",
|
|
"ec2:Describe*",
|
|
"ecs:Describe*",
|
|
"ecs:List*",
|
|
"eks:Describe*",
|
|
"eks:List*",
|
|
"lambda:List*",
|
|
"lambda:Get*",
|
|
"s3:ListBucket",
|
|
"s3:GetObject",
|
|
"logs:FilterLogEvents",
|
|
"logs:GetLogEvents",
|
|
"cloudwatch:GetMetricData",
|
|
"cloudwatch:ListMetrics"
|
|
],
|
|
"Resource": "*"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
## Verify
|
|
|
|
```bash
|
|
opensre integrations verify aws
|
|
```
|
|
|
|
Expected output:
|
|
|
|
```
|
|
Service: aws
|
|
Status: passed
|
|
Detail: Authenticated via assume-role in us-east-1 as arn:aws:iam::123456789012:role/OpenSREReadOnly (account 123456789012)
|
|
```
|
|
|
|
## Troubleshooting
|
|
|
|
| Symptom | Fix |
|
|
| --- | --- |
|
|
| **AccessDenied on STS** | Ensure the caller has `sts:AssumeRole` permission on the target role |
|
|
| **InvalidClientTokenId** | Check that `AWS_ACCESS_KEY_ID` is correct and the key is active |
|
|
| **Could not connect to endpoint** | Check `AWS_REGION` and network connectivity |
|
|
| **ExpiredTokenException** | Refresh your session token or rotate the access key |
|
|
|
|
## Security best practices
|
|
|
|
- Use **IAM roles** instead of static keys wherever possible.
|
|
- Scope IAM permissions to only the AWS services OpenSRE needs to inspect.
|
|
- Rotate static access keys regularly.
|
|
- Enable CloudTrail so all OpenSRE API calls are auditable.
|