Amazon Web Services

Configuring AWS for Spinnaker

AWS Compute with the Spinnaker AWS Cloud Provider

The AWS Cloud Provider allows Spinnaker to release artifacts in some of the AWS compute services

There are several ways to configure the Amazon Web Services (AWS) Cloud Provider. Choose one or more based on your requirements:

AWS IAM Permissions with the AWS Cloud Provider

AWS controls the permissions with AWS IAM Identity Access Management. Spinnaker functionality with AWS requires an AWS IAM structure to be ready in the AWS target accounts.

There are two types of Accounts in the Spinnaker AWS provider: AWS Managing account and AWS Managed account(s).

From the Spinnaker perspective, Halyard configures Spinnaker to use the AWS Managing account to control the AWS Managed account(s).

Note The AWS IAM structure must be set up prior to adding the Spinnaker AWS Provider with Halyard.

From the AWS perspective, AWS Managing account assumes control of the AWS Managed account(s) through the use of AWS IAM Roles. By assuming a role across AWS Accounts, Spinnaker can control AWS resources from multiple AWS Managed accounts.

Refer to AWS IAM Providing Access to multiple AWS Accounts for AWS technical details.

  1. AWS Managing account. There is always exactly one managing account. This account is what Spinnaker authenticates as and, if necessary, uses to assumes roles in the managed account(s).

  2. AWS Managed. Every AWS account that you want to modify resources in is a managed account. Managed accounts require AWS IAM policies and a trust relationship to grant AssumeRole access to the managed account(s).

    The AWS Managing account assumes the roles of the AWS Managed account(s).

    Example: AWS Managing account spinnakermanaging can assume the Managed role in the accounts accountdev, accountstaging, accountprod and deploy a baked AMI in the pipeline.

Example diagram of managing and managed roles

Amazon EC2

Deploy Spinnaker to Amazon EC2.

Amazon ECS

Deploy Spinnaker to ECS.

Amazon Web Services Concepts

Spinnaker uses two types of accounts for AWS, and each one performs a different duty. They are classified as either a managing or managed account.