Coordimap
ConfigurationAWS

Configuring An AWS Data Source For Coordimap

This guide explains how to configure the Coordimap agent to crawl an AWS account. With AWS configured correctly, Coordimap can discover EC2 instances, VPCs, load balancers, RDS instances, S3 buckets, and other AWS resources, then turn that inventory into diagrams and relationships.

For AWS, use the AWS account ID as scope_id. That value is the stable ownership boundary for AWS assets.

Prerequisites

Before you begin, make sure you have:

  1. Installed the Coordimap agent in an environment that can reach AWS APIs.
  2. Added the AWS data source in the Coordimap UI so you have a data_source_id.
  3. Prepared AWS credentials for the agent, either through IAM role, environment variables, or an AWS credentials file.

Use read-only permissions

Use an IAM user or IAM role with read-only permissions whenever possible. Follow the dedicated guide here: Creating an AWS Read-Only IAM User.

Find The Correct scope_id

Use the AWS account ID:

aws sts get-caller-identity --query Account --output text

If you run multiple Coordimap AWS connectors against the same account, reuse the same scope_id. That keeps all discovered assets in one identity space.

Configuration File

coordimap:
  api_key: ${COORDIMAP_API_KEY}
  data_sources:
    - type: aws
      data_source_id: <YOUR_DATASOURCE_ID_FROM_UI>
      config:
        - name: scope_id
          value: "<AWS_ACCOUNT_ID>"
        - name: policy_config
          value: "true"
        - name: access_key_id
          value: ${AWS_ACCESS_KEY_ID}
        - name: secret_access_key
          value: ${AWS_SECRET_ACCESS_KEY}
        - name: crawl_interval
          value: "5m"

Configuration Options

Attribute NameRequiredDescription
typeYesThe data source type. For AWS this must be aws.
data_source_idYesThe Coordimap data source identifier created in the UI. It identifies the connector record, not the AWS account identity.
config.name: scope_idYesStable upstream identity for the AWS account. Use the AWS account ID.
config.name: policy_configYesSet to "true" when the agent should use the host's attached IAM role or local AWS credential configuration.
config.name: access_key_idConditionalAWS access key ID when you are using explicit credentials instead of instance or task role credentials.
config.name: secret_access_keyConditionalAWS secret access key that pairs with access_key_id.
config.name: crawl_intervalNoHow often the agent refreshes AWS inventory. See Shared Configuration Options.

Visualizing Network Flows With VPC Flow Logs

To see how resources inside your AWS VPCs communicate, configure AWS VPC Flow Logs and ingest them through the AWS flow logs data source.

Use the same AWS account scope_id in both the AWS infrastructure crawler and the AWS flow logs crawler. That is how Coordimap knows the flow telemetry belongs to the same AWS asset graph.

Read the flow log setup guide here: AWS Flow Logs Configuration.

Next Steps

  1. Prepare the credentials the agent should use.
  2. Add the AWS data source block to the agent YAML file.
  3. Set COORDIMAP_API_KEY where the agent runs.
  4. Restart the agent.
  5. Verify that resources appear in Coordimap after the next crawl cycle.

Configuration Troubleshooting

Troubleshoot common Coordimap agent configuration errors, including missing scope_id, broken external_mappings, wrong Kubernetes cluster UID, and datasource identity mismatches.

Creating an AWS Read-Only IAM User for Coordimap

Create an AWS IAM read-only user and access keys for the Coordimap agent to discover cloud resources without write permissions.

On this page

PrerequisitesFind The Correct scope_idConfiguration FileConfiguration OptionsVisualizing Network Flows With VPC Flow LogsNext Steps