AWS Compute with the Spinnaker AWS Cloud Provider
The AWS Cloud Provider allows Spinnaker to release artifacts in some of the AWS compute services
There are several ways to configure the Amazon Web Services (AWS) Cloud Provider. Choose one or more based on your requirements:
- Amazon Elastic Compute Cloud (EC2) - - Use this option, if you want to manage AWS EC2 via Spinnaker
- Amazon Elastic Container Service (ECS) - - Use this option, if you want to manage containers in AWS ECS
- Amazon Elastic Kubernetes Service (EKS) - Use this option, if you want to manage containers in AWS EKS. This option uses Kubernetes V2 (manifest based) Clouddriver
- Amazon Lambda (Lambda) - Use this option, if you want to enable AWS Lambda support
AWS IAM Permissions with the AWS Cloud Provider
AWS controls the permissions with AWS IAM Identity Access Management. Spinnaker functionality with AWS requires an AWS IAM structure to be ready in the AWS target accounts.
There are two types of Accounts in the Spinnaker AWS provider: AWS Managing account and AWS Managed account(s).
From the Spinnaker perspective, Halyard configures Spinnaker to use the AWS Managing account to control the AWS Managed account(s).
Note The AWS IAM structure must be set up prior to adding the Spinnaker AWS Provider with Halyard.
From the AWS perspective, AWS Managing account assumes control of the AWS Managed account(s) through the use of AWS IAM Roles. By assuming a role across AWS Accounts, Spinnaker can control AWS resources from multiple AWS Managed accounts.
Refer to AWS IAM Providing Access to multiple AWS Accounts for AWS technical details.
- AWS Managing account. There is always exactly one managing account. This account is what Spinnaker authenticates as and, if necessary, uses to assumes roles in the managed account(s).
AWS Managed. Every AWS account that you want to modify resources in is a managed account. Managed accounts require AWS IAM policies and a trust relationship to grant
AssumeRoleaccess to the managed account(s).
The AWS Managing account assumes the roles of the AWS Managed account(s).
Example: AWS Managing account
spinnakermanagingcan assume the Managed role in the accounts accountdev, accountstaging, accountprod and deploy a baked AMI in the pipeline.