Bake and Share Amazon Machine Images Across Accounts
Overview of sharing AMIs across accounts
In many environments, SpinnakerTM runs under a different AWS account than the target deployment account. This guide shows you how to configure Spinnaker to share an AMI created where Spinnaker lives with the AWS account where your applications live. This guide is assuming that AWS roles are already properly setup for talking to the target account.
Spinnaker configuration for sharing baked AMIs
You can add the following snippet to your SpinnakerService
manifest and apply it after replacing the example values with ones that correspond to your environment. The example adds an AWS account and configures the baking service (Rosco) with default values:
apiVersion: spinnaker.armory.io/v1alpha2
kind: SpinnakerService
metadata:
name: spinnaker
spec:
spinnakerConfig:
config:
aws:
enabled: true
accounts:
- name: my-aws-account
requiredGroupMembership: []
providerVersion: V1
permissions: {}
accountId: 'aws-account-id' # Use your AWS account id
regions: # Specify all target regions for deploying applications
- name: us-west-2
assumeRole: role/SpinnakerManagedProfile # Role name that worker nodes of Spinnaker cluster caassume in the target account to make deployments and scan infrastructure
primaryAccount: my-aws-account
bakeryDefaults:
baseImages: []
defaultKeyPairTemplate: '{{"{{"}}name{{"}}"}}-keypair'
defaultRegions:
- name: us-west-2
defaults:
iamRole: BaseIAMRole
... # Config omitted for brevity
service-settings:
rosco:
env:
SPINNAKER_AWS_DEFAULT_REGION: "us-west-2" # Replace by default bake region
SPINNAKER_AWS_DEFAULT_ACCOUNT: "target-aws-account-id" # Target AWS account id
... # Config omitted for brevity
First, add the AWS provider account with Halyard. Next, make sure to enable the AWS provider:
hal config provider aws enable
Then, add a rosco.yml
file under ~/.hal/default/service-settings/
that contains the following snippet:
env:
SPINNAKER_AWS_DEFAULT_REGION: "YOUR_DEFAULT_REGION"
SPINNAKER_AWS_DEFAULT_ACCOUNT: "YOUR_DEFAULT_AWS_ACCOUNT_ID"
SPINNAKER_AWS_DEFAULT_ACCOUNT
is the target account ID.
Spinnaker pipeline Bake stage configuration
Make sure to check the Show Advanced Options
checkbox. Then where it says Template File Name
use aws-multi-ebs.json as the value.
Then add an Extended Attribute
. Have the key be share_with_1
and the value being the target AWS account ID that was used for SPINNAKER_AWS_DEFAULT_ACCOUNT
. share_with_1
is for ami_users inside Packer.
You can also copy the resulting AMI to different regions by overriding the copy_to_1 values. These match up to ami_regions inside Packer.
Feedback
Was this page helpful?
Thank you for letting us know!
Sorry to hear that. Please tell us how we can improve.
Last modified January 25, 2021: (1b76da5)