Setting up a fleet
Import targets from CSV, discover RDS and Aurora instances from AWS, and manage fleet credentials.
Before you can run rdst fleet audit, you need a fleet. RDST gives you three ways
to build one:
| Path | When to use | Command |
|---|---|---|
| AWS discovery | Your databases are AWS RDS / Aurora | rdst fleet discover --regions us-east-1 |
| CSV import | You have a list of databases in a spreadsheet | rdst fleet import --from fleet.csv |
| Interactive wizard | You want guided setup | rdst fleet configure |
Option A — AWS discovery
rdst fleet discover calls the AWS RDS API and registers every RDS instance and
Aurora cluster it finds. This is the fastest path when you are on AWS.
Set up AWS credentials if you have not already:
aws configure sso
aws sts get-caller-identity # verifyexport AWS_ACCESS_KEY_ID="AKIA..."
export AWS_SECRET_ACCESS_KEY="..."
export AWS_DEFAULT_REGION=us-east-1
aws sts get-caller-identity # verifyRun discovery:
rdst fleet discover --regions us-east-1,us-west-2Use --name-pattern to scope to specific instance names, and
--engine-filter postgresql or mysql to filter by engine.
Set credentials when prompted:
[1] Shared password— one password for all discovered instances[2] Individual— set user/password per instance[3] Skip— register targets without credentials (configure later)
Export the password env vars RDST prints. Discovery outputs a set of
export FOO_PASS=... lines you need to run in your shell. On macOS with
Keychain, passwords persist automatically; on Linux and WSL you need to re-run
the exports each session.
What Aurora clusters look like after discovery
For every Aurora cluster, discovery creates:
| Target | Endpoint | Tags |
|---|---|---|
<cluster>-writer | Cluster writer endpoint | aurora, writer |
<cluster>-reader-<n> | Each reader instance | aurora, reader |
All instances from one cluster share the same group, so you can audit just that
cluster with rdst fleet audit --group <cluster-name>.
Flags
| Flag | Purpose |
|---|---|
--regions <list> | Comma-separated AWS regions |
--engine-filter {postgresql,mysql,all} | Filter by engine |
--name-pattern <glob> | Only discover instance names matching a glob |
--password-env <var> | Env var for all discovered targets' passwords |
--user <username> | Override default DB user |
--group <name> | Assign all discovered targets to one group |
--dry-run | Preview without saving |
Option B — CSV import
rdst fleet import --from ./fleet.csv --password-env FLEET_PASSCSV format
Required columns: name, host, engine.
Optional columns: port, database, user, group, tags, password_env,
password_secret_arn.
name,host,engine,port,database,user,group,tags,password_env
prod-orders,db1.example.com,postgresql,5432,orders,rdst_ro,orders-prod,pii,PROD_ORDERS_PASS
prod-inventory,db2.example.com,postgresql,5432,inventory,rdst_ro,inventory-prod,,PROD_INV_PASS
staging-orders,staging.example.com,postgresql,5432,orders,rdst_ro,staging,,STAGING_PASS
legacy-mysql,legacy.example.com,mysql,3306,appdb,rdst_ro,legacy,mysql,LEGACY_PASStags is a semicolon-separated list (aurora;writer;pii). password_env can be
set per-row or left blank to fall back to the global --password-env value.
Flags
| Flag | Purpose |
|---|---|
--from <csv> | Path to the CSV file |
--password-env <var> | Default env var for any row with blank password_env |
--group <name> | Assign all imported rows to one group (overrides CSV) |
--tag <tag> | Add a tag to all imported rows (repeatable) |
--dry-run | Preview what would be imported |
Option C — Interactive wizard
rdst fleet configureThis is just the two options above wrapped in a menu — choose AWS discovery or CSV import, with prompts for every required field. Use it when you want a guided path instead of remembering flags.
Listing and filtering the fleet
Once your fleet is populated:
# List every target
rdst fleet list
# Filter by group
rdst fleet list --group orders-prod
# Filter by tag
rdst fleet list --tag aurora --tag writer
# JSON output
rdst fleet list --jsonChanging a target's group or tags
Groups and tags are per-target attributes, so you change them through
rdst configure edit:
# Move a target into a different group
rdst configure edit prod-orders-reader-2 --group orders-prod-readers
# Replace the tags on a target
rdst configure edit prod-orders-writer --tags aurora,writer,pii
# Clear a target's group (back to ungrouped)
rdst configure edit legacy-mysql --group ""The change is local and takes effect immediately — every subsequent rdst fleet list --group ... or rdst fleet audit --group ... will reflect it. There is no
bulk "move group" command; if you need to re-group several targets at once, loop
over them in your shell:
for name in prod-orders-reader-1 prod-orders-reader-2 prod-orders-reader-3; do
rdst configure edit "$name" --group orders-prod-readers
doneChecking connectivity
rdst fleet status
rdst fleet status --group orders-prodstatus opens a connection to every target (or every filtered target) and prints
latency plus any errors. It's the first thing to run after import or discovery to
confirm passwords are exported and network paths are clear.
Name Host Engine Status Latency
──────────────────── ───────────────────── ────────── ───────── ────────
prod-orders db1.example.com postgresql ✓ OK 12 ms
prod-inventory db2.example.com postgresql ✓ OK 15 ms
staging-orders staging.example.com postgresql ✓ OK 28 ms
legacy-mysql legacy.example.com mysql ✗ FAILED —
authentication failed (LEGACY_PASS not set)Using AWS Secrets Manager
If your passwords live in AWS Secrets Manager, set password_secret_arn on a target
(either in the CSV or during discovery). RDST will fetch the secret value at the
start of each session and cache it for the duration of the run.
name,host,engine,password_env,password_secret_arn
prod-orders,db1.example.com,postgresql,,arn:aws:secretsmanager:us-east-1:123...:secret:prod-ordersPrecedence: password_env wins if both are set, so you can override with a local env
var when needed.
See also
rdst fleet audit— once your fleet is populated, audit every target at once- Configuration — Targets — how individual targets are structured