Bake and Share AMIs Across Accounts

Overview

Many people have Spinnaker sitting in a different AWS account than where they are deploying to (the target account). This guide will show you how to configure Spinnaker to share an AMI created where Spinnaker lives with the AWS account where your applications live. This guide is assuming that AWS roles are already properly setup for talking to the target account.

Configuration

Operator

You can add the following snippet to your SpinnakerService manifest and apply it after replacing the examplvalues with ones that correspond to your environment. The example adds an AWS account and configures the bakinservice (Rosco) with default values:

apiVersion: spinnaker.armory.io/v1alpha2
kind: SpinnakerService
metadata:
  name: spinnaker
spec:
  spinnakerConfig:
    config:
      aws:
        enabled: true
        accounts:
        - name: my-aws-account
          requiredGroupMembership: []
          providerVersion: V1
          permissions: {}
          accountId: 'aws-account-id'               # Use your AWS account id
          regions:                                  # Specify all target regions for deploying applications
            - name: us-west-2
          assumeRole: role/SpinnakerManagedProfile  # Role name that worker nodes of Spinnaker cluster caassume in the target account to make deployments and scan infrastructure
        primaryAccount: my-aws-account
        bakeryDefaults:
          baseImages: []
        defaultKeyPairTemplate: '{{"{{"}}name{{"}}"}}-keypair'
        defaultRegions:
        - name: us-west-2
        defaults:
          iamRole: BaseIAMRole
          ... # Config omitted for brevity
    service-settings:
      rosco:
        env:
          SPINNAKER_AWS_DEFAULT_REGION: "us-west-2"               # Replace by default bake region
          SPINNAKER_AWS_DEFAULT_ACCOUNT: "target-aws-account-id"  # Target AWS account id
          ... # Config omitted for brevity

Halyard

First, add the AWS provider account with Halyard. Next, make sure to enable the AWS provider:

hal config provider aws enable

Then, add a rosco.yml file under ~/.hal/default/service-settings/ that contains the following snippet:

env:
  SPINNAKER_AWS_DEFAULT_REGION: "YOUR_DEFAULT_REGION"
  SPINNAKER_AWS_DEFAULT_ACCOUNT: "YOUR_DEFAULT_AWS_ACCOUNT_ID"

SPINNAKER_AWS_DEFAULT_ACCOUNT is the target account ID.

Bake Stage

Make sure to check the Show Advanced Options checkbox. Then where it says Template File Name use aws-multi-ebs.json as the value.

Then add an Extended Attribute. Have the key be share_with_1 and the value being the target AWS account ID that was used for SPINNAKER_AWS_DEFAULT_ACCOUNT. share_with_1 is for ami_users inside Packer.

You can also copy the resulting AMI to different regions by overriding the copy_to_1 values. These match up to ami_regions inside Packer.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified June 26, 2020: docs(migration): replace Jekyll params with Hugo params shortcode (#89) (ef41fd6)