How to connect with AWS

Last updated: December 12, 2024

Integrating Spacelift with AWS allows you to manage your infrastructure with temporary, dynamically generated credentials, enhancing security and compliance. This integration supports various Infrastructure as Code (IaC) tools, such as Terraform, CloudFormation, and Pulumi, ensuring efficient and secure management of AWS resources.

For more detailed instructions and examples, refer to the full AWS Integration Documentation.

Benefits of Using a Cloud Integration

  1. Enhanced Security: Avoids the need for long-lived static credentials, reducing the risk of credential leakage.

  2. Efficiency: Dynamically generated credentials streamline the management process, allowing seamless automation of infrastructure tasks.

Steps Required for Setup

  1. Set Up a Role in AWS:

    • Navigate to AWS IAM and click Create role.

    • Configure the role with the necessary permissions to manage your AWS resources.

  2. Configure the Trust Policy:

  • Define the Trust Policy to allow Spacelift to assume the IAM role.

    • Example Trust Policy:

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringLike": {
          "sts:ExternalId":"SpaceliftAccountName@*"
        }
      },
      "Effect": "Allow",
      "Principal": {
        "AWS": "324880187172"
      }
    }
  ]
}

  • Note: Replace SpaceliftAccountName with your actual Spacelift account name. This value is case-sensitive.

  1. Create the IAM Role:

    • Attach at least one IAM policy to the role to provide sufficient permissions for resource management.

    • Take note of the IAM Role ARN as it will be needed for the integration setup.

  2. Navigate to Cloud Integrations in Spacelift:

    • Go to the Cloud Integration page from the Spacelift navigation sidebar.

    • Click Add your first integration to begin the integration creation.

  3. Create the Integration:

    • Specify the required fields: Name and Role ARN.

    • If needed, enable the "Assume Role on Worker" option for role assumption on your private worker.

    • Configure custom External IDs if necessary.

  4. Attach the Integration to Stacks:

    • Navigate to the stack you want to attach the integration to.

    • Go to the stack's settings and choose the integrations tab.

    • Select the AWS option, choose your integration, and specify whether it should be used for read, write, or both phases.

  5. Verify Role Assumption:

    • Spacelift verifies the role assumption to ensure proper configuration, preventing malicious account takeovers by validating the role assumption process.

Additional Information

  • Roles Assuming Other Roles: IAM roles can assume other roles, which is useful for managing resources across multiple AWS accounts from a single Spacelift stack.

  • Migrating from Legacy Integrations: Instructions for migrating to the new account-level integrations are available, with support for both UI and Terraform Provider methods.

By following these steps, you can effectively integrate Spacelift with AWS, leveraging the benefits of secure, efficient, and compliant cloud management.