Hi all,
I am looking for a way to deploy CloudQuery in a single place for my AWS Organizations, which has many accounts. Is there a way to get reports for all child accounts?
Hi Sharma 
Yes, this is possible, and I would imagine most users with many AWS accounts run it this way.
Here is a tutorial about multi-account setups that should help you: Multi-Account Setup Tutorial
Let us know if you have further questions!
Hi @herman,
I need to configure some local accounts, but I am deploying in Kubernetes (k8s) and I would like to use IAM roles and service accounts for the work instead of putting credentials in the profile.
Sure, you can do this as well. There’s a YouTube tutorial that uses K8s and assumes a role for an account: YouTube Tutorial; you should be able to use a managed account or delegated admin account for the organization.
There are three ways to specify the credentials (quoting from the docs), you can choose any one:
-
Source credentials from the default credential tool chain:
org: member_role_name: cloudquery-ro -
Source credentials from a named profile in the shared configuration or credentials file:
org: member_role_name: cloudquery-ro admin_account: local_profile: <Named-Profile> -
Assume a role in the admin account using credentials in the shared configuration or credentials file:
org: member_role_name: cloudquery-ro admin_account: local_profile: <Named-Profile> role_arn: arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME> # Optional. Specify the name of the session # role_session_name: "" # Optional. Specify the ExternalID if required for trust policy # external_id: ""
The @herman, if we have this deployed for Organizations and we have EKS in each account, we cannot use the same service account to get Kubernetes policies or compliance organization-wide, correct?
Hi @unified-reptile,
I’m afraid I don’t know the answer to this off the top of my head… Can you explain a bit more what you’re trying to achieve? Are you hoping to sync using both the AWS source plugin and the K8s source plugin? I might tag @stunning-dodo in here for some insights as well.
An so we have the AWS source plugin that we can use for asset inventory. We have the Kubernetes plugin, which will be used to get data from the Kubernetes side.
Is it possible, like the AWS plugin, to deploy the plugin in a single account and get details of other EKS clusters as well?
If you are able to connect to the different EKS clusters from a single account, then it should be possible by setting the k8s plugin context to *.