How to Integrate AWS with Spinnaker

Overview

Anooptej Thotapalli

4 min readFeb 4, 2021

Assuming that you have Spinnaker Installed, we will explore about Integrating AWS with Spinnaker in this Blog.
In AWS, an EC2 is used to launch as many VM’s as we need, to configure security and networking, and to manage storage.
In Spinnaker, AWS plays almost the same role when user configures AWS as a Cloud Provider.
There are two methods to configure AWS as Cloudprovider,

By using AWS Console
By using AWS CLI

In this document we will explore the integration process using AWS Console

Steps to Setup EC2 with Spinnaker

Steps to create Managing Account

Navigate to Console > CloudFormation and select your preferred region.
Click here to Download the template locally.
Search for ‘SpinnakerInstanceProfileArn’ and comment out the line.
(Optional). Add additional managed account as shown on line 158 in the SpinnakerAssumeRolePolicy section of the downloaded template file.
Execute the below to create the CloudFormation Stack
- Create Stack > Upload a template to Amazon S3 > Browse to template you downloaded in Step-2 above > Next
- Enter Stack Name as ‘spinnaker-managing-infrastructure-setup’, Click on the dropdown ‘UseAccessKeyForAuthentication’ and select true to get the Access and Secret Key.
- Then follow the prompts on screen and click on create the stack.
Once the stack is select the stack you created in Step-3 > Outputs and note the values(AccessKeyId, Secret, ManagingAccountID & AuthArn). These values are mandatory for subsequent configurations.

Steps to Create Managed Account.

Navigate to Console > CloudFormation and select your preferred region.
Click here to Download the template locally.
Creating the CloudFormation Stack
- Create Stack > Upload a template to Amazon S3 > Browse to template you downloaded in Step-2 above > Next
- Enter Stack Name as ‘spinnaker-managed-infrastructure-setup’ and follow the prompts on screen to create the stack
- Enter AuthArn and ManagingAccountId as the value noted above and follow the prompts on screen to create the stack

Steps to Create IAM Role for EC2

Navigate to Console > IAM > Roles
Click on Create New Role, select EC2 and name it as per requirement(eg. ec2-instance)
Search for the below policies
- AmazonEC2FullAccess
- spinnakerAssumeRolePolicy
- baseiampolicy
- AutoScalingFullAccess
- PowerUserAccess
Click on Review and Submit to Create.
Now Edit the newly created role and click on TrustRelationships and add the below JSON entry

{
   "Version": "2012-10-17",
   "Statement": [
     {
       "Effect": "Allow",
       "Principal": {
         "Service": [
           "ec2.amazonaws.com" 
         ]
       },
       "Action": "sts:AssumeRole"
     }
   ]
 }

Steps to Create “Spinnaker AssumeRole Policy”

Navigate to Console > IAM > Policies.
Click on Create New Policy, click on JSON and add the below code.
Name the policy as “Spinnaker AssumeRole Policy”.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::<AWSAccountID>:role/spinnakerManaged",
                "arn:aws:iam::<AWSAccountID>:role/spinnakerManaged"
            ],
            "Effect": "Allow"
        }
    ]
}

Steps to configure AWS EC2 using AWS CLI

Managing Account creation using

Execute the below command to use AccessKey and Secret to run Spinnaker

curl https://d3079gxvs8ayeg.cloudfront.net/templates/managing.yaml
------------------------------------------------------------------echo "Optionally add Managing account to the file downloaded as shown on line 158 in the SpinnakerAssumeRolePolicy section of the downloaded file."
aws cloudformation deploy --stack-name spinnaker-managing-infrastructure-setup --template-file managing.yaml \ --parameter-overrides UseAccessKeyForAuthentication=true --capabilities CAPABILITY_NAMED_IAM --region us-east-1

Execute the below command to use InstanceProfile run Spinnaker

curl https://d3079gxvs8ayeg.cloudfront.net/templates/managing.yaml
------------------------------------------------------------------echo "Optionally add Managing account to the file downloaded as shown on line 158 in the SpinnakerAssumeRolePolicy section of the downloaded file."
aws cloudformation deploy --stack-name spinnaker-managing-infrastructure-setup --template-file managing.yaml \
 --parameter-overrides UseAccessKeyForAuthentication=false --capabilities CAPABILITY_NAMED_IAM --region us-east-1

Managed Account Creation

Note: These steps need to be carried out for the managing account as well.

curl https://d3079gxvs8ayeg.cloudfront.net/templates/managed.yamlaws cloudformation deploy --stack-name spinnaker-managed-infrastructure-setup --template-file managed.yaml \
 --parameter-overrides AuthArn=FROM_ABOVE ManagingAccountId=FROM_ABOVE --capabilities CAPABILITY_NAMED_IAM --region us-east-1

Configure Halyard with AccessKeys

These steps need to be executed only if you selected UseAccessKeyForAuthentication as true in Option-1 or Option-2 above

ACCESSKEYID=12345678910(Update this with your Access Key)hal config provider aws edit --access-key-id ${ACCESSKEYID} \
--secret-access-key#do not supply the key here, you will be prompted hal config provider aws bakery edit --aws-access-key ${ACCESSKEYID} \
--aws-secret-key # do not supply the key here, you will be prompted

Configure Halyard to add AWS account

Execute the below command to add AWS EC2 Account

$AWS_ACCOUNT_NAME={name for AWS account in Spinnaker, e.g. my-aws-account}
 hal config provider aws account add $AWS_ACCOUNT_NAME \
     --account-id ${ACCOUNT_ID} \
     --assume-role role/spinnakerManaged \
     --regions us-east-1

Execute the below command to Enable AWS

hal config provider aws enable

Now, restart Spinnaker to see the changes reflecting on your spinnaker

hal deploy apply

Now you have successfully configured AWS as a cloud provider in Spinnaker.