Adding / updating a connection by uploading a "roles to assume" file via API client - AWS example

Axonius supports IAM Roles in the AWS adapter alongside the current IAM User for cross-account access, meaning that the AWS adapter can assume specified roles to allow fetching devices from other AWS accounts. To do this, you will have to create a role in the desired additional AWS account(s), and allow the IAM User which is being used in the adapter to assume this role.
(Additional inofrmation on this process can be found in:

The steps for doing this are:

1. Creating a "roles to assume" csv file.

The details of the format for the file can be found here:

A simple example might look like this:

$ cat roles2assume.csv
arn:aws:iam::111111111111:role/axonius-role, arn:aws:iam::222222222222:role/axonius-role

2. Adding/ updating a connection using axonshell - in this case for an AWS connection. To find out what parameters are required for a connection from the command line, you can run the following command:
$ axonshell adapters cnx get --name aws --export-format table-schemas

Name Title Type Required Description Format
--------------------- ------------------------------ ------ ---------- ------------------- --------
account_tag Account Tag string False
advanced_config Advanced Configuration file file False A JSON-file
aws_access_key_id AWS Access Key ID string False
aws_secret_access_key AWS Access Key Secret string False password
proxy Proxy string False
region_name Region Name string False
roles_to_assume_list Roles to assume file False A list of roles to
get_all_regions Get All Regions bool True
use_attached_iam_role Use instance profile (attached bool True Use the IAM role
role) attached to this
instance instead of
using the
--------------------- ------------------------------ ------ ---------- ------------------- --------
Name Title Type Required Description Format

  • You may have noticed the parameters shown in the above output match the parameters from the popup dialog in the GUI when you go to add a connection.  In our case, we are interested in the "roles_to_assume_list" parameter which is of type "file".  We are going to pass in the CSV file we created earlier for that parameter. Axonshell will then work it's magic and take care of uploading and processing it.
3. Creating the actual connection - we will want to run something like this (replacing "${AWS_KEY}" and "${AWS_SECRET}" with your actual values):
$ axonshell adapters cnx add --name aws \
--config roles_to_assume_list=roles2assume.csv \
--config aws_access_key_id=${AWS_KEY} \
--config aws_secret_access_key=${AWS_SECRET} \
--config get_all_regions=yes \
--config use_attached_iam_role=no \
--no-prompt-optional \
  • Please note the options "--no-prompt-optional" and "--no-prompt-default", this keeps axonshell from asking you to fill in other parameters we aren't necessarily concerned with in this instance.
4. Confirming that the connection was created - The output of the above command will look something like this :
"aws_access_key_id": "...",
"aws_secret_access_key": "...",
"get_all_regions": true,
"roles_to_assume_list": {
"filename": "roles2assume.csv",
"uuid": "604a79e3eea54208eece0a09"
"use_attached_iam_role": false
You can see the "roles_to_assume_list" contains our csv file we provided and has a uuid generated for it.
  • If at some point you would like to update this connection with a new csv file, you can actually just run the same add command as above (axonshell adapters cnx add --name aws ...) and provide the same values for the parameters pointing to a new csv file, and it will update the connection with the new file.



Please sign in to leave a comment.

Didn't find what you were looking for?

New post