Bake and Share AMIs Across Accounts

Overview

Many people have Spinnaker sitting in a different AWS account than where they are deploying to (the target account). This guide will show you how to configure Spinnaker to share an AMI created where Spinnaker lives with the AWS account where your applications live. This guide is assuming that AWS roles are already properly setup for talking to the target account.

Halyard Configuration

Add the AWS provider account with Halyard. Next make sure to enable the AWS provider:

hal config provider aws enable

Now we need to add a rosco.yml file under ~/.hal/default/service-settings/ that contains the following:

env:
  SPINNAKER_AWS_DEFAULT_REGION: "YOUR_DEFAULT_REGION"
  SPINNAKER_AWS_DEFAULT_ACCOUNT: "YOUR_DEFAULT_AWS_ACCOUNT_ID"

SPINNAKER_AWS_DEFAULT_ACCOUNT is the target account ID.

Bake Stage

Bake Stage

Make sure to check the Show Advanced Options checkbox. Then where it says Template File Name use aws-multi-ebs.json as the value.

Then add an Extended Attribute. Have the key be share_with_1 and the value being the target AWS account ID that was used for SPINNAKER_AWS_DEFAULT_ACCOUNT. share_with_1 is for ami_users inside Packer.

You can also copy the resulting AMI to different regions by overriding the copy_to_1 values. These match up to ami_regions inside Packer.