Quickstart
Cloud Provider Integration
Quickstart
Cloud Provider Integration
Enhance Annie’s cloud infrastructure understanding
Connect your cloud providers to Annie to give her comprehensive visibility into your infrastructure. This integration enables Annie to:
- Monitor your cloud resources in real-time
- Detect unmanaged resources
- Track infrastructure changes
Setup Guide
Choose between two secure methods to connect Annie to your AWS accounts:
Step 1: Create the IAM Role
Use one of these methods to create a role with read-only permissions:
- Using Terraform (Recommended)
resource "aws_iam_role" "annie_assume_role" {
name = "annie-assume-role"
assume_role_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::211125758836:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "replace_with_optional_external_id"
}
}
}
]
}
}
resource "aws_iam_role_policy_attachment" "read_only_access" {
role = aws_iam_role.annie_assume_role.name
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
- Using AWS Console
- Navigate to IAM Roles and select Create Role.
- Choose Another AWS account and enter the Account ID:
211125758836. - Add an External ID (Optional: Acts as a shared secret).
- Attach the AWS-managed policy ReadOnlyAccess.
- Complete the role creation process.
- Copy the Role ARN for the next step.
Step 2: Add the IAM Role to Anyshift
- Navigate to Anyshift Configuration and select Add AWS Role.
- Enter a descriptive Display Name for the role (e.g.,
"read_only_role_for_anyshift"). - Paste the Role ARN from the previous step.
- Enter the External ID (Optional)
- Save the configuration.
Step 1: Create IAM User
Choose your preferred method:
- Using Terraform (Highly Recommended)
resource "aws_iam_user" "annie_user" {
name = "annie-readonly-user"
}
resource "aws_iam_access_key" "annie_access_key" {
user = aws_iam_user.annie_user.name
}
resource "aws_iam_user_policy_attachment" "read_only_access" {
user = aws_iam_user.annie_user.name
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
- Using AWS Console
- Go to IAM → Users → Add User
- Enable Programmatic Access
- Attach “ReadOnlyAccess” policy
- Save Access Key ID and Secret Access Key
Step 2: Configure in Anyshift
- Enter the Access Key ID and Secret Access Key you obtained from the IAM user creation step.
- Provide a descriptive AWS Account Name label (e.g.,
"read_only_user_for_anyshift").
For granular control, you can limit access to specific resources:
data "aws_iam_policy_document" "annie_minimal_access" {
statement {
sid = "AllowComputeResources"
effect = "Allow"
actions = [
"ec2:Describe*",
"eks:Describe*",
"eks:List*",
"ecs:Describe*",
"ecs:List*",
"lambda:List*",
"lambda:Get*",
"autoscaling:Describe*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"lightsail:Get*",
"lightsail:List*",
"batch:Describe*",
"batch:List*"
]
resources = ["*"]
}
statement {
sid = "AllowStorageResources"
effect = "Allow"
actions = [
"s3:List*",
"s3:Get*",
"rds:Describe*",
"rds:List*",
"dynamodb:Describe*",
"dynamodb:List*",
"elasticache:Describe*",
"elasticache:List*",
"efs:Describe*",
"fsx:Describe*",
"fsx:List*",
"backup:Describe*",
"backup:List*"
]
resources = ["*"]
}
statement {
sid = "AllowNetworkResources"
effect = "Allow"
actions = [
"vpc:Describe*",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeInternetGateways",
"ec2:DescribeNatGateways",
"ec2:DescribeVpcEndpoints",
"elasticloadbalancing:Describe*",
"route53:List*",
"route53:Get*",
"cloudfront:List*",
"cloudfront:Get*",
"globalaccelerator:List*",
"globalaccelerator:Describe*"
]
resources = ["*"]
}
statement {
sid = "AllowIdentityResources"
effect = "Allow"
actions = [
"iam:List*",
"iam:Get*"
]
resources = ["*"]
}
statement {
sid = "AllowMonitoringResources"
effect = "Allow"
actions = [
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"logs:Describe*",
"logs:List*",
"health:Describe*",
"cloudtrail:Describe*",
"cloudtrail:List*",
"cloudtrail:Get*"
]
resources = ["*"]
}
statement {
sid = "AllowApplicationResources"
effect = "Allow"
actions = [
"sns:List*",
"sns:Get*",
"sqs:List*",
"sqs:Get*",
"mq:List*",
"mq:Describe*",
"apigateway:GET",
"apigateway:HEAD",
"appsync:List*",
"appsync:Get*",
"elasticmapreduce:List*",
"elasticmapreduce:Describe*",
"kafka:List*",
"kafka:Describe*",
"kinesis:List*",
"kinesis:Describe*"
]
resources = ["*"]
}
}
This provides read-only access to common AWS resources while maintaining security best practices.
Features Enabled
Resource Monitoring
Real-time visibility into your cloud infrastructure
Dependency Mapping
Understand your infrastructure dependencies
Try Annie Today
Start building your infrastructure knowledge graph and unlock intelligent infrastructure management.
On this page