Amazon Web Services Concepts

Spinnaker uses two types of accounts for AWS, and each one performs a different duty. They are classified as either a managing or managed account.


There are two types of Accounts in the Spinnaker AWS provider: AWS Managing account and AWS Managed account(s).

From the Spinnaker perspective, Halyard configures Spinnaker to use the AWS Managing account to control the AWS Managed account(s).

Note The AWS IAM structure must be set up prior to adding the Spinnaker AWS Provider with Halyard.

From the AWS perspective, AWS Managing account assumes control of the AWS Managed account(s) through the use of AWS IAM Roles. By assuming a role across AWS Accounts, Spinnaker can control AWS resources from multiple AWS Managed accounts.

Refer to AWS IAM Providing Access to multiple AWS Accounts for AWS technical details.

  1. AWS Managing account. There is always exactly one managing account. This account is what Spinnaker authenticates as and, if necessary, uses to assumes roles in the managed account(s).

  2. AWS Managed. Every AWS account that you want to modify resources in is a managed account. Managed accounts require AWS IAM policies and a trust relationship to grant AssumeRole access to the managed account(s).

    The AWS Managing account assumes the roles of the AWS Managed account(s).

    Example: AWS Managing account spinnakermanaging can assume the Managed role in the accounts accountdev, accountstaging, accountprod and deploy a baked AMI in the pipeline.

Example diagram of managing and managed roles

There are several ways to configure the Amazon Web Services (AWS) Cloud Provider. Choose one or more based on your requirements: