Bake and Share Amazon Machine Images Across Accounts

Configure Spinnaker to share an Amazon Machine Image (AMI) when Spinnaker and the deployment target share the same AWS account.

Overview of sharing AMIs across accounts

In many environments, SpinnakerTM runs under a different AWS account than the target deployment account. This guide shows you how to configure Spinnaker to share an AMI created where Spinnaker lives with the AWS account where your applications live. This guide is assuming that AWS roles are already properly setup for talking to the target account.

Spinnaker configuration for sharing baked AMIs

You can add the following snippet to your SpinnakerService manifest and apply it after replacing the example values with ones that correspond to your environment. The example adds an AWS account and configures the baking service (Rosco) with default values:

apiVersion: spinnaker.armory.io/v1alpha2
kind: SpinnakerService
metadata:
  name: spinnaker
spec:
  spinnakerConfig:
    config:
      aws:
        enabled: true
        accounts:
        - name: my-aws-account
          requiredGroupMembership: []
          providerVersion: V1
          permissions: {}
          accountId: 'aws-account-id'               # Use your AWS account id
          regions:                                  # Specify all target regions for deploying applications
            - name: us-west-2
          assumeRole: role/SpinnakerManagedProfile  # Role name that worker nodes of Spinnaker cluster caassume in the target account to make deployments and scan infrastructure
        primaryAccount: my-aws-account
        bakeryDefaults:
          baseImages: []
        defaultKeyPairTemplate: '{{"{{"}}name{{"}}"}}-keypair'
        defaultRegions:
        - name: us-west-2
        defaults:
          iamRole: BaseIAMRole
          ... # Config omitted for brevity
    service-settings:
      rosco:
        env:
          SPINNAKER_AWS_DEFAULT_REGION: "us-west-2"               # Replace by default bake region
          SPINNAKER_AWS_DEFAULT_ACCOUNT: "target-aws-account-id"  # Target AWS account id
          ... # Config omitted for brevity

First, add the AWS provider account with Halyard. Next, make sure to enable the AWS provider:

hal config provider aws enable

Then, add a rosco.yml file under ~/.hal/default/service-settings/ that contains the following snippet:

env:
  SPINNAKER_AWS_DEFAULT_REGION: "YOUR_DEFAULT_REGION"
  SPINNAKER_AWS_DEFAULT_ACCOUNT: "YOUR_DEFAULT_AWS_ACCOUNT_ID"

SPINNAKER_AWS_DEFAULT_ACCOUNT is the target account ID.

Spinnaker pipeline Bake stage configuration

Bake Stage

Make sure to check the Show Advanced Options checkbox. Then where it says Template File Name use aws-multi-ebs.json as the value.

Then add an Extended Attribute. Have the key be share_with_1 and the value being the target AWS account ID that was used for SPINNAKER_AWS_DEFAULT_ACCOUNT. share_with_1 is for ami_users inside Packer.

You can also copy the resulting AMI to different regions by overriding the copy_to_1 values. These match up to ami_regions inside Packer.


Last modified January 25, 2021: (1b76da5)