spinnaker: Spinnaker 1.22.3 unable to share AMI with another account

Issue Summary:

We’re trying to deploy images baked within our account running Spinnaker to another account we manage. Spinnaker fails to deploy AMIs, with the message unable to resolve AMI imageId from ami-REDACTED in us-west-2

Cloud Provider(s):

AWS

Environment:

Spinnaker on Kubernetes 1.22.3 with Spinnaker HA, deploying to AWS and k8s.

Feature Area:

clouddriver rosco

Description:

We’re unable to deploy images baked in the Spinnaker account to any other account we manage with the AWS provider. We’ve recently added the AWS provider to our k8s deployed Spinnaker cluster and have had this issue ever since.

Steps to Reproduce:

Bake an image within the account running Spinnaker and attempt to deploy this image to an account Spinnaker manages.

Additional Details:

I was able to add launch permission for the additional account to the image created by the bake step using the aws cli on a spinnaker-clouddriver-rw pod. If the ami is shared manually, Spinnaker is able to deploy to AWS as normal on the next runs of our pipeline. I ran through the spinnaker-aws-policy clouddriver policy generator armory provides and our IAM policy seems up to date.

There doesn’t appear to be any relevant failure messages in our logs.

image

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 3
  • Comments: 16 (2 by maintainers)

Most upvoted comments

We’ve moved to sharing the ami in the bake stage and it’s working for us. This sort of broke a paradigm for testing different images baked for dev and not wanting some of them to be able to be deployed to later environments like staging and not having to rebake. However, I think this change in procedure mostly works for us.

+1
matthack on Jul 15, 2021
Read more comments on GitHub
← spinnaker: Spin-monitoring-daemon can't hit metrics endpoint on Gate
spinnaker: Spinnaker ./InstallSpinnaker.sh does not work on Ubuntu 16.04 LTS →