环球百事通!使用 SQL 丝滑查询你的云 API 数据 - Steampipe
2022-07-15 09:00:26来源:Github爱好者
Steampipe: select * from cloud可以让你使用 SQL 来即时查询你的云服务(AWS、Azure、GCP、Github、Slack 等),是一个开源 的 CLI 工具,不需要数据库。Steampipe 将 API 和服务暴露成高性能关系数据库,使你能够编写基于 SQL 的查询来探索动态数据。Mods 通过使用简单 HCL 构建的 Dashboard、报告和控件扩展 Steampipe 的功能。
(资料图)
可以前往官方网站 https://steampipe.io/downloads 选择对应的平台下载安装包。
假如你是 Linux 用户,则可以使用下面的命令进行一键安装。
sudo /bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/turbot/steampipe/main/install.sh)"
安装后检测是否成功。
~$ steampipe -vsteampipe version 0.15.2
如果显示了上面的版本信息证明安装成功了。
接下来就可以根据自己的需要去安装对应的插件了steampipe plugin install steampipe。
如果你是 Mac 用户,则可以使用 Homebrew 进行一键安装brew install steampipe。
使用这里我们以 AWS 为例进行说明如何使用steampipe。
首先,下载并安装 Steampipe,然后安装插件:
steampipe plugin install aws
Steampipe将在你第一次运行 steampipe 查询时下载和安装额外的组件,因此它最初可能需要几秒钟的时间来加载。
Steampipe支持很多插件,可以在官网 https://hub.steampipe.io/plugins 进行查看。
插件安装完成后,Steampipe将使用你的凭证文件和/或环境变量中的默认 AWS 凭证,所以你需要确保这些也已经配置好了。
我们可以使用 profile 参数从 AWS 凭证文件中指定命名配置文件。每个配置文件的连接,使用命名配置文件可能是最常见的配置:
aws 凭证文件[profile_y]aws_access_key_id = AKIA4YFAKEKEYXTDS252aws_secret_access_key = SH42YMW5p3EThisIsNotRealzTiEUwXN8BOIOF5J8mregion = us-west-2[profile_z]aws_access_key_id = AKIA4YFAKEKEYJ7HS98Faws_secret_access_key = Apf938vDKd8ThisIsNotRealzTiEUwXj9nKLWP9mg4aws.spc
connection "aws_account_y" { plugin = "aws" profile = "profile_y" regions = ["us-east-1", "us-west-2"]}connection "aws_account_z" { plugin = "aws" profile = "profile_z" regions = ["ap-southeast-1", "ap-southeast-2"]}如果你能运行aws ec2 describe-vpcs,则证明就可以使用了。
Steampipe提供的命令允许你在不离开查询 shell 的情况下发现和探索表和数据。可以运行steampipe query来打开交互式查询会话:
$ steampipe queryWelcome to Steampipe v0.5.0For more information, type .help>
然后运行.tables命令可以列出可用的表:
> .tables ==> aws +----------------------------------------+---------------------------------------------+ | table | description | +----------------------------------------+---------------------------------------------+ | aws_accessanalyzer_analyzer | AWS Access Analyzer | | aws_account | AWS Account | | aws_acm_certificate | AWS ACM Certificate | | aws_api_gateway_api_key | AWS API Gateway API Key | ... +----------------------------------------+---------------------------------------------+
正常情况下我们会看到 aws 插件中有很多可用的表!比如有一个aws_iam_role表,我们可以来运行.inspect命令来查看该表中的内容:
> .inspect aws_iam_role +---------------------------+-----------------------------+---------------------------------------------------------------------------------------------------+ | column | type | description | +---------------------------+-----------------------------+---------------------------------------------------------------------------------------------------+ | account_id | text | The AWS Account ID in which the resource is located. | | akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | | arn | text | The Amazon Resource Name (ARN) specifying the role. | | assume_role_policy | jsonb | The policy that grants an entity permission to assume the role. | | assume_role_policy_std | jsonb | Contains the assume role policy in a canonical form for easier searching. | | attached_policy_arns | jsonb | A list of managed policies attached to the role. | | create_date | timestamp without time zone | The date and time when the role was created. | | description | text | A user-provided description of the role. | | inline_policies | jsonb | A list of policy documents that are embedded as inline policies for the role.. ... +---------------------------+-----------------------------+---------------------------------------------------------------------------------------------------+
现在我们知道aws_iam_role表中有哪些列可用,我们就可以运行一个简单的查询来列出角色:
select name from aws_iam_role
再查询一个稍微复杂的场景,让我们找到没有应用边界策略的角色:
select namefrom aws_iam_rolewhere permissions_boundary_arn is null;
和其他数据库一样,我们也可以将表连接在一起。例如,我们可以找到所有附加了 AWS 托管策略的角色:
select r.name, policy_arn, p.is_aws_managedfrom aws_iam_role as r, jsonb_array_elements_text(attached_policy_arns) as policy_arn, aws_iam_policy as pwhere p.arn = policy_arn and p.is_aws_managed;
+-------------------------------------------------------+------------------------------------------------------------------------------------+----------------+ | name | policy_arn | is_aws_managed | +-------------------------------------------------------+------------------------------------------------------------------------------------+----------------+ | aws-elasticbeanstalk-ec2-role | arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier | true | | aws-elasticbeanstalk-ec2-role | arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker | true || admin | arn:aws:iam::aws:policy/ReadOnlyAccess | true | | AWSServiceRoleForSSO | arn:aws:iam::aws:policy/aws-service-role/AWSSSOServiceRolePolicy | true | | AWSServiceRoleForAccessAnalyzer | arn:aws:iam::aws:policy/aws-service-role/AccessAnalyzerServiceRolePolicy | true | | aws-elasticbeanstalk-service-role | arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth | true | | AWSServiceRoleForElasticLoadBalancing | arn:aws:iam::aws:policy/aws-service-role/AWSElasticLoadBalancingServiceRolePolicy | true | | aws-elasticbeanstalk-service-role | arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService | true | | AWSServiceRoleForOrganizations | arn:aws:iam::aws:policy/aws-service-role/AWSOrganizationsServiceTrustPolicy | true | +-------------------------------------------------------+------------------------------------------------------------------------------------+----------------+
Steampipe插件提供了一种简单的方式来查询您的配置,而 Steampipe modes 允许你创建和共享 dahsboard、报告和控件。Steampipe Dashboard 可让你可视化你的 Steampipe 数据。
我们可以下载AWS Insights mod并查看仪表板。首先克隆 repo:
git clone https://github.com/turbot/steampipe-mod-aws-insights.git
然后切换到该目录并运行 steampipe 仪表板:
cd steampipe-mod-aws-insights steampipe dashboard
这样就可以启动 Dashboard 了。
Steampipe 将在浏览器中打开 http://localhost:9194/。主页列出了可用的仪表板,并且可以按标题或标签进行搜索。单击报告的标题以查看它。例如,单击AWS CloudTrail Trail Dashboard进行查看。
你可以在任何页面顶部的搜索栏中导航到另一个仪表板,或者,你可以单击左上角的 Steampipe logo 返回主页。完成后,你可以返回终端控制台并键入 Ctrl+c 退出。
Git 仓库:https://github.com/turbot/steampipe。
