Configure AWS provider
Authentication for AWS provider
You can now use iac describe
by overriding the profile setting.
If you want to use a different set of AWS credentials to read your state on S3, you can override each specific AWS environment variable with the DCTL_S3_
prefix. The purpose is to have the choice to read a state in a different region from your infrastructure. Remember to use your usual AWS credentials to read the resources of your actual infrastructure.
Terraform custom role
The following code represents the custom role you can assume to run iac describe
written in HCL.
CloudFormation template
Deploy this CloudFormation template to create the limited permission role that you can use according to the authentication guide in the preceding sections of this page.
There is no automatic way to update the CloudFormation template from the Snyk side because you launched this template from your AWS account. Therefore you must update the template yourself to use the most recent Snyk role.
Update the CloudFormation template using the AWS console
In the stack details pane, choose Update.
Select Replace current template and specify the Snyk Amazon S3 URL
https://driftctl-cfn-templates.s3.eu-west-3.amazonaws.com/driftctl-role.yml
; click Next.On the Specify stack details and the Configure stack options pages, click Next.
In the Change set preview section, check that AWS CloudFormation will make the changes.
Because the Snyk template contains one IAM resource, select I acknowledge that this template may create IAM resources.
To finish, click Update stack.
Update the CloudFormation template using the AWS CLI
Use the following command:
Least privilege policy
The iac describe
command needs access to your cloud provider account so that it can list resources on your behalf.
As the AWS documentation recommends, the policy that follows grants only the required permissions.
Last updated