Skip to main content
OpenSRE uses AWS to map your environment: Lambda functions, EKS clusters, S3 buckets, and more. It reads infrastructure state to build investigation context when cloud-related alerts fire.

Prerequisites

  • AWS account with IAM permissions
  • Either a role ARN (recommended) or static access keys

Setup

Option 1: Interactive CLI

opensre integrations setup
Select AWS when prompted and provide your credentials.

Option 2: Environment variables (IAM role)

AWS_ROLE_ARN=arn:aws:iam::123456789012:role/OpenSREReadOnly
AWS_EXTERNAL_ID=your-external-id     # optional
AWS_REGION=us-east-1

Option 3: Environment variables (static keys)

AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
AWS_SESSION_TOKEN=...                # optional, for temporary credentials
AWS_REGION=us-east-1
VariableDefaultDescription
AWS_ROLE_ARNIAM role to assume (recommended)
AWS_EXTERNAL_IDExternal ID for role assumption
AWS_REGIONus-east-1AWS region
AWS_ACCESS_KEY_IDStatic access key (if not using role)
AWS_SECRET_ACCESS_KEYStatic secret key
AWS_SESSION_TOKENSession token for temporary credentials
Either AWS_ROLE_ARN or AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY is required.

IAM permissions

OpenSRE requires read-only access. Attach the following managed policies to the IAM role or user:
  • ReadOnlyAccess (AWS managed) — or a custom policy scoped to the services you want OpenSRE to inspect
For least-privilege, the minimum services used are: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sts:GetCallerIdentity",
        "ec2:Describe*",
        "ecs:Describe*",
        "ecs:List*",
        "eks:Describe*",
        "eks:List*",
        "lambda:List*",
        "lambda:Get*",
        "s3:ListBucket",
        "s3:GetObject",
        "logs:FilterLogEvents",
        "logs:GetLogEvents",
        "cloudwatch:GetMetricData",
        "cloudwatch:ListMetrics"
      ],
      "Resource": "*"
    }
  ]
}

Verify

opensre integrations verify --service aws
Expected output: 
Service: aws
Status: passed
Detail: Authenticated via assume-role in us-east-1 as arn:aws:iam::123456789012:role/OpenSREReadOnly (account 123456789012)

Troubleshooting

SymptomFix
AccessDenied on STSEnsure the caller has sts:AssumeRole permission on the target role
InvalidClientTokenIdCheck that AWS_ACCESS_KEY_ID is correct and the key is active
Could not connect to endpointCheck AWS_REGION and network connectivity
ExpiredTokenExceptionRefresh your session token or rotate the access key

Security best practices

  • Use IAM roles instead of static keys wherever possible.
  • Scope IAM permissions to only the AWS services OpenSRE needs to inspect.
  • Rotate static access keys regularly.
  • Enable CloudTrail so all OpenSRE API calls are auditable.