ConsoleMe
GitHub
  • About
  • Architecture
  • Features
    • Credentials
      • AWS Console Login
      • AWS Credential Broker
    • Policy Management
      • Policies View
      • Policy Editor for IAM, SQS, SNS, and S3
      • Self-Service IAM Wizard
      • Policy Request - Review Page
      • Role Creation and Cloning
  • Demo
  • Quick Start
    • Docker
    • Local
  • Prerequisites
    • Required IAM Permissions
      • Central Account
      • Spoke Accounts
  • Configuration
    • Web App Authentication and Authorization
      • Local Development (Auth bypass)
      • ALB Auth (Recommended)
      • Retrieving Google Groups
      • OIDC/OAuth2
        • Cognito
        • Okta
      • SAML
      • Plain-Text Headers
    • Role Credential Authorization
      • Role Tags
        • Role Tagging Service Control Policy (Recommended)
      • Role Authorization through Dynamic Configuration
      • Custom Authorization (Internal Plugin)
    • Account Syncing
    • Metrics
    • Dynamic Configuration
    • AWS Resource Syncing
    • CLI Authentication
    • Sending email through SES
    • AWS Secret Manager Integration
    • CloudTrail Integration via AWS Event Bridge
    • Slack Notifications
  • Celery Tasks
    • Celery Flower
  • Development Guide
    • UI Components
    • Managing Dependencies
  • Deployment Strategies
  • Contributing
  • FAQ
  • License
  • Security
  • Weep CLI
    • Getting Started with Weep
    • AWS Credentials in the CLI using Weep and ConsoleMe
    • Configuration
    • Commands
      • List
      • Serve
      • Export
      • File
      • Credential Process
    • Assuming Roles
    • Advanced Configuration
      • Routing for Metadata Service
      • Shell Completion
Powered by GitBook
On this page

Was this helpful?

  1. Configuration

AWS Resource Syncing

PreviousDynamic ConfigurationNextCLI Authentication

Last updated 3 years ago

Was this helpful?

ConsoleMe learns about the bulk of your AWS resources from AWS Config, but will also attempt to sync IAM roles, SQS queues, SNS topics, and S3 buckets from their respective APIs. If you haven't enabled AWS Config yet, learn how to set it up . Also, keep in mind that AWS Config is not free. Carefully decide which resource types to record.

Prerequisite

Ensure that you've created identically named roles on each of your accounts () for ConsoleMe to assume, and that you've allowed the role ConsoleMe is using () to assume those roles. This spoke role should also exist on the account ConsoleMe is on.

The example configuration below is a powerful one. It tells ConsoleMe which role it should assume on each of your spoke accounts before performing certain actions, such as querying AWS Config or updating policies for resources on the spoke account:

policies:
  role_name: ConsoleMe

ConsoleMe's do the bulk of the resource syncing. The Docker-Compose flow defined in the guide starts a Celery container, with a worker and a scheduler that will attempt to cache your resources with your existing AWS credentials when ran.

If you need to only manage a subset of roles, you can limit the roles that will be displayed in the /policies page. You can limit the roles by referencing the tags on the roles and adding them to this configuration in Consoleme:

roles:
  allowed_tags:
    tag1: value1
    tag2: value2

Note that all tag keys and values must match for a role to be allowed.

You can also allow roles based on a list of tag keys. The role will be allowed if any of the tag keys exist against it.

roles:
  allowed_tag_keys:
    - consoleme-authorized
    - consoleme-authorized-cli-only

Alternatively, you can provide an explicit list of roles you want managed by Consoleme by adding this configuration:

roles:
  allowed_arns:
    - arn:aws:iam::111111111111:role/role-name-here-1
    - arn:aws:iam::111111111111:role/role-name-here-2
    - arn:aws:iam::111111111111:role/role-name-here-3
    - arn:aws:iam::222222222222:role/role-name-here-1
    - arn:aws:iam::333333333333:role/role-name-here-1

By default, all policy types are presented on the /policies page. However, you can opt-out of caching and presenting policy types using this configuration:

cache_policies_table_details:
  skip_iam_roles: true
  skip_iam_users: true
  skip_s3_buckets: true
  skip_sns_topics: true
  skip_sqs_queues: true
  skip_managed_policies: true
  skip_aws_config_resources: true
here
Spoke Roles
Central Account role
Celery Tasks
Quick Start