Harness Key Concepts

Harness Products and Editions

Get Started with Cloud Cost Management

Harness On-Premise Overview

New Docs Added Recently

Built-in App Tour Guide for Freemium Accounts

Tour Harness Manager

Supported Platforms and Technologies

Checklist Builder

View Account Info and Subscribe to Downtime Alerts

AWS AMI Quickstart

AWS CodeDeploy Quickstart

AWS ECS Quickstart

AWS Lambda Quickstart

Helm Quickstart

IIS (.NET) Quickstart

Kubernetes Quickstart

Tanzu Application Service (TAS) Quickstart

Traditional (SSH) Quickstart

Harness Delegate Overview

Delegate Requirements and Limitations

Delegate Installation Overview

Install the Harness Shell Script Delegate

Install the Harness Kubernetes Delegate

Install the Harness ECS Delegate

Install the Harness Helm Delegate

Install the Harness Docker Delegate

Approve or Reject Harness Delegates

Run Scripts on Delegates using Profiles

Use Secrets in a Delegate Profile

Delegate Task Category Mapping

Select Delegates with Selectors

Scope Delegates to Harness Components and Commands

Install the AWS CLI on a Delegate

Target Delegates to Specific Namespaces

Automate Harness Kubernetes Delegate Setup

Use Custom Helm Binaries on Harness Delegates

Add Self-Signed Certificates for Delegate Connections

Configure Delegate Proxy Settings

Secure Delegates with Tokens

Connectors Overview

Add Cloud Providers

Add Kubernetes Cluster Cloud Provider

Add Google Cloud Platform Cloud Provider

Add Amazon Web Services (AWS) Cloud Provider

Add Microsoft Azure Cloud Provider

Add Tanzu Application Service (TAS) Cloud Provider

Add Physical Data Center as Cloud Provider

Add SpotInst Cloud Provider

Add Artifact Servers

Add Docker Registry Artifact Servers

Add Helm Repository Artifact Servers

Add AWS S3 and Google Cloud Storage Artifact Servers

Add Azure DevOps Artifact Servers

Add Jenkins Artifact Servers

Add Bamboo Artifact Servers

Add Nexus Artifact Servers

Add Artifactory Servers

Add Samba Server Artifact Servers

Add SFTP Artifact Servers

Add Source Repo Providers

Add a GitHub Repo

Add a Bitbucket Repo

Add a GitLab Repo

Add a CodeCommit Repo

Add an Azure DevOps Repo

Add Collaboration Providers

Add SMTP Collaboration Provider

Add Jira Collaboration Provider

Add ServiceNow Collaboration Provider

Add Verification Providers

Manage User Notifications

Send Notifications Using Slack

Send Slack Messages from Workflows

Send Notifications to Microsoft Teams

Manage Alert Notifications

Migrate to Harness Community

Add Application Stacks

Create an HTTP Workflow Step Template

Create a Shell Script Workflow Step Template

Create a Service Command Template

Add Service Command Templates into Command Units

Link Templates to Services and Workflows

Manage Tags

Apply Filters Using Tags

Assign Metadata Using Tags

Use Expressions in Workflow and Pipeline Tags

Deployments Overview

Filtering Deployments

View the Delegates Used in a Deployment

Export Deployment Logs

Restrict Deployment Access to Specific Environments

Deploy a Workflow to Multiple Infrastructures Simultaneously

Resume Pipeline Deployments

Deployment Logging Limitations

CloudFormation How-tos

Set Up Your Harness Account for CloudFormation

Add CloudFormation Templates

Map CloudFormation Infrastructure

Provision using CloudFormation Create Stack

Using CloudFormation Outputs in Workflow Steps

Remove Provisioned Infra with CloudFormation Delete Stack

AMI/ASG Deployments How-tos

AMI Basic Deployment

Create an AMI/ASG Canary Deployment

AMI Blue/Green Deployment

AMI Spotinst Elastigroup Deployment

Configure Spotinst Traffic Shift Verification

ECS Deployments Overview

1 - Harness ECS Delegate

2 - ECS Connectors and Providers Setup

3 - ECS Services

4 - ECS Environments

5 - ECS Basic and Canary Workflows

6 - ECS Blue/Green Workflows

7 - ECS Setup in YAML

8 - ECS Troubleshooting

Deploy Multiple ECS Sidecar Containers

Run an ECS Task

Use Remote ECS Task and Service Definitions in Git Repos

AWS Lambda How-tos

AWS Lambda Deployment Overview

Connect to AWS for Lambda Deployments

Add Lambda Functions

Define Your Lambda Target Infrastructure

Create a Basic Lambda Deployment

View Lambda Deployments in the Serverless Functions Dashboard

Azure Virtual Machine Scale Set Deployments Overview

Connect to Azure for VMSS Deployments

Add Your Azure VM Image for Deployment

Define Your Azure VMSS Target Infrastructure

Create an Azure VMSS Basic Deployment

Create an Azure VMSS Canary Deployment

Create an Azure VMSS Blue/Green Deployment

Azure VMSS Versioning and Naming

Azure Web App Deployments Overview

Connect to Azure and Artifact Repo for Your Web App Deployments

Add Your Docker Image for Azure Web App Deployment

Define Your Azure Web App Infrastructure

Create an Azure Web App Blue/Green Deployment

Create an Azure Web App Canary Deployment

Azure Web App Deployment Rollback

Azure ACR to AKS Deployments Overview

1 - Harness Account Setup for Azure ACR to AKS

2 - Harness Service Setup for Azure ACR and AKS

3 - Define Your AKS Target Infrastructure

4 - Azure ACR to AKS Workflows and Deployments

5 - Azure ACR to AKS Troubleshooting

Azure Resource Management (ARM) How-tos

Set Up Your Harness Account for Azure ARM

Add Azure ARM Templates to Harness

Provision and Deploy to ARM Provisioned Infrastructure

Provision Resources using a Harness ARM Infrastructure Provisioner

Use Azure ARM Template Outputs in Workflow Steps

Azure ARM Rollbacks

Azure Blueprint How-tos

Set Up Your Harness Account for Azure Blueprint

Add Azure Blueprints to Harness

Provision using Azure Blueprint Definitions

Build and Deploy Pipeline How-tos

Connect to Your Artifact Build and Deploy Pipeline Platforms

Add Your Build and Deploy Pipeline Artifacts

Create the Build Workflow for Build and Deploy Pipelines

Define Your Build and Deploy Pipeline Target Infrastructure

Create the Deploy Workflow for Build and Deploy Pipelines

Create the Build and Deploy Pipeline

Run Google Cloud Builds

Helm Native Deployment Guide Overview

1 - Delegate, Providers, and Helm Setup

2 - Helm Services

3 - Helm Environments

4 - Helm Workflows and Deployments

5 - Helm Troubleshooting

Upgrade Native Helm 2 Deployments to Helm 3

Custom Fetching and Preprocessing of Helm Charts

IIS (.NET) Deployment Overview

1 - Delegate and Connectors for IIS

2 - Services for IIS

3 - IIS Environments in AWS and Azure

4 - IIS Workflows and Pipelines

5 - Best Practices and Troubleshooting

Kubernetes How-tos

Connect to Your Target Kubernetes Platform

Add Container Images for Kubernetes Deployments

Pull an Image from a Private Registry for Kubernetes

Define or Add Kubernetes Manifests

Use Go Templating in Kubernetes Manifests

Adding and Editing Inline Kubernetes Manifest Files

Upload Kubernetes Resource Files

Use a Helm Repository with Kubernetes

Link Resource Files or Helm Charts in Git Repos

Using Harness Config Variables in Manifests

Use Harness Config Files in Manifests

Override Values YAML Files

Override Harness Kubernetes Service Settings

Override Variables at the Infrastructure Definition Level

Add Packaged Kubernetes Manifests

Ignore a Manifest File During Deployment

Define Your Kubernetes Target Infrastructure

Provision Kubernetes Infrastructures

Create Kubernetes Namespaces based on InfraMapping

Create Kubernetes Namespaces with Workflow Variables

Create a Kubernetes Canary Deployment

Create a Kubernetes Rolling Deployment

Create a Kubernetes Blue/Green Deployment

Deploy Manifests Separately using Apply Step

Deploy Helm Charts

Deploy Kubernetes Custom Resources using CRDs

Set Up Kubernetes Traffic Splitting with Istio

Traffic Splitting Without Istio

Set up Kubernetes Ingress Rules

Scale Kubernetes Pods

Run Kubernetes Jobs

Use Kustomize for Kubernetes Deployments

Delete Kubernetes Resources

Prune Kubernetes Resources

Kubernetes Workflow Variables and Expressions

Using OpenShift with Harness Kubernetes

Upgrade to Helm 3 Charts in Kubernetes Services

Use Helm Chart Hooks in Kubernetes Deployments

Tanzu Application Service Deployments

Connect to Your Target Tanzu Account

Add Container Images for Tanzu Deployments

Adding and Editing Inline Tanzu Manifest Files

Upload Local and Remote Tanzu Resource Files

Using Harness Config Variables in Tanzu Manifests

Define Your Tanzu Target Infrastructure

Override Tanzu Manifests and Config Variables and Files

Create a Basic Tanzu Deployment

Create a Canary Tanzu Deployment

Create a Blue/Green Tanzu Deployment

Run CF CLI Commands and Scripts in a Workflow

Tanzu Built-in Variables

Use CLI Plugins in Harness Tanzu Deployments

Use the App Autoscaler Service

Preprocess Tanzu Artifacts to Match Supported Types

Terraform How-tos

Set Up Your Harness Account for Terraform

Add Terraform Scripts

Map Dynamically Provisioned Infrastructure using Terraform

Provision using the Terraform Provision Step

Using the Terraform Apply Command

Perform a Terraform Dry Run

Remove Provisioned Infra with Terraform Destroy

Use Terraform Outputs in Workflow Steps

Terragrunt How-tos

Set Up Your Harness Account for Terragrunt

Add Terragrunt Configuration Files

Map Dynamically Provisioned Infrastructure using Terragrunt

Provision using the Terragrunt Provision Step

Perform a Terragrunt Dry Run

Remove Provisioned Infra with Terragrunt Destroy

Use Terragrunt Outputs in Workflow Steps

Traditional (SSH) Deployments How-tos

Connect to Your Repos and Target SSH Platforms

Add Artifacts and App Stacks for Traditional (SSH) Deployments

Add Scripts for Traditional (SSH) Deployments

Define Your Traditional (SSH) Target Infrastructure

Create a Basic Workflow for Traditional (SSH) Deployments

Create a Custom Deployment using Deployment Templates

Create an Application

Create Default Application Directories and Variables

Add Specs and Artifacts using a Harness Service

Use Script Based Services

Add Service Config Variables

Add Service Config Files

Using Custom Artifact Sources

Service Types and Artifact Sources

Add a Docker Image

Add an Azure DevOps Artifact Source

Add an Environment

Add an Infrastructure Definition

Migrating from Service Infrastructures to Infrastructure Definitions

Service Infrastructures (Note: Replaced Functionality)

Override a Service Configuration in an Environment

Create Environment-level Variables and Files for All Services

Workflows

Add a Workflow

Deploy Individual Workflows

Verify Workflow

Add a Workflow Notification Strategy

Define Workflow Failure Strategy

Set Workflow Variables

Use Steps for Different Workflow Tasks

Add Phases to a Workflow

Synchronize Workflow Deployments using Barriers

Templatize a Workflow

Clone a Workflow

Configure Workflows Using YAML

Using the HTTP Command

Run Shell Scripts in Workflows

Run Jenkins Jobs in Workflows

Jira Integration

ServiceNow Integration

Control Resource Usage

Workflow Queuing

Target Specific Hosts During Deployment

Skip Workflow Steps

Rollback Production Deployments

Select Nodes in a Rolling Deployment Workflow

Workflow Steps UI Changes

Integrate Tests into Harness Workflows

Deploy Multiple Services Simultaneously using Barriers

Send an Email from Your Workflow

Create a Pipeline

Create Pipeline Templates

Pipeline Skip Conditions

Shell Script Provisioner

Infrastructure Provisioners Overview

Provision Infrastructure Without Deploying to It

Trigger Workflows and Pipelines

Trigger Deployments When a New Artifact is Added to a Repo

Trigger Deployments when Pipelines Complete

Schedule Deployments using Triggers

Trigger Deployments using Git Events

Trigger a Deployment using cURL

Get Deployment Status using REST

Trigger a Deployment when a File Changes

Trigger a Deployment using a URL

Pause All Triggers using Deployment Freeze

Harness UI Approvals

Jira Approvals

Custom Shell Script Approvals

ServiceNow Approvals

Using Variables in Workflow Approvals

Slack Approvals in Workflows and Pipelines

Passing Variables into Workflows and Pipelines from Triggers

Pass Variables between Workflows

Harness GitOps Overview

Onboard Teams Using GitOps

CCM Trial New User Signup (formerly CE)

CCM Trial Existing User Signup (formerly CE)

Set Up Cost Visibility for Kubernetes

Set Up Cost Visibility for Kubernetes Using an Existing Delegate

Set Up Cost Visibility for AWS

Set Up Cost Visibility for GCP

Set Up Cost Visibility for Azure

Analyze Cost for Kubernetes

Analyze Cost for AWS

Analyze Cost for GCP

Analyze Cost for Azure

Perform Root Cost Analysis

Create Cost Perspectives

Share Your Cost Perspective Report

Create Your Perspectives Budget

Create a Budget

Optimize Kubernetes Costs with Resource Recommendations

Detect Cloud Cost Anomalies with CCM (formerly CE)

Set Up Notifications for Cost Anomalies

Enable Cost Reports Using Email

Set Up Slack Notifications for CCM (formerly CE)

Use Cost Explorer APIs

Use Workload Recommendation APIs

Set Up 24/7 Service Guard

Apply Custom Thresholds to 24/7 Service Guard

Add AppDynamics as a Verification Provider

Monitor Applications 24/7 with AppDynamics

Verify Deployments with AppDynamics

Templatize AppDynamics Verification

Set AppDynamics Environment Variables

Connect to Bugsnag

Monitor Applications 24/7 with Bugsnag

Verify Deployments with Bugsnag

Connect to CloudWatch

Monitor Applications 24/7 with CloudWatch

Verify Deployments with CloudWatch

Connect to Datadog

Monitor Applications 24/7 with Datadog Logging

Monitor Applications 24/7 with Datadog Metrics

Verify Deployments with Datadog Logging

Verify Deployments with Datadog Metrics

Connect to Dynatrace

Monitor Applications 24/7 with Dynatrace

Verify Deployments with Dynatrace

Connect to Elasticsearch (ELK)

Monitor Applications 24/7 with Elasticsearch

Verify Deployments with Elasticsearch

Troubleshoot Verification with Elasticsearch

Connect to Logz.io

Verify Deployments with Logz.io

Connect to New Relic

Monitor Applications 24/7 with New Relic

New Relic Deployment Marker

Verify Deployments with New Relic

Troubleshooting New Relic

Connect to Prometheus

Monitor Applications 24/7 with Prometheus

Verify Deployments with Prometheus

Connect to Splunk

Monitor Applications 24/7 with Splunk

Verify Deployments with Splunk

Connect to Stackdriver

Monitor Applications 24/7 with Stackdriver Logging

Monitor Applications 24/7 with Stackdriver Metrics

Verify Deployments with Stackdriver Logging

Verify Deployments with Stackdriver Metrics

Connect to Sumo Logic

Monitor Applications 24/7 with Sumo Logic

Verify Deployments with Sumo Logic

1 – Instana Connection Setup

2 – 24/7 Service Guard for Instana

3 – Verify Deployments with Instana

Custom Verification Overview

Connect to Custom Verification for Custom Logs

Connect to Custom Verification for Custom Metrics

Monitor Applications 24/7 with Custom Logs

Monitor Applications 24/7 with Custom Metrics

Verify Deployments with Custom Logs

Verify Deployments with Custom Metrics

Connect to Datadog as a Custom APM

Verify Deployments with Datadog as a Custom APM

Connect to AppDynamics as a Custom APM

Verify Deployments with AppDynamics as a Custom APM

File Jira Tickets on Verification Events

Apply Custom Thresholds to Deployment Verification

Refine 24/7 Service Guard Verification Analysis

Refine Deployment Verification Analysis

Configuration as Code Overview

Harness Account-Level Git Sync

Harness Application-Level Git Sync

Edit Harness Components as YAML

Delink Git Sync

View Harness Git Sync Activity

Managing Users and Groups (RBAC)

Set Up RBAC for Application Release Process

Authentication Settings

SSO Provider Overview

Single Sign-On (SSO) with OAuth 2.0

Single Sign-On (SSO) with LDAP

Single Sign-On (SSO) with SAML

Provisioning Users with Okta (SCIM)

Two-Factor Authentication

IP Whitelist Management

API Keys

Provision Users and Groups with OneLogin (SCIM)

Provision Azure AD Users and Groups (SCIM)

Add a Secrets Manager

View Secrets Usage

Add a CyberArk Secrets Manager

Add an AWS KMS Secrets Manager

Add an AWS Secrets Manager

Add an Azure Key Vault Secrets Manager

Add Google KMS as a Harness Secrets Manager

Add a Google Cloud Secrets Manager

Add a HashiCorp Vault Secrets Manager

Use Encrypted Text Secrets

Use Encrypted File Secrets

Add SSH Keys

Use SSH Key via Kerberos for Server Authentication

Add HashiCorp Vault Signed SSH Certificate Keys

Add WinRM Connection Credentials

Create WinRM Connection Using Kerberos

Scope Secret Managers to Applications and Environments

Restrict Secrets Usage

Reference Existing Secret Manager Secrets

Migrate Secrets between Secrets Managers

Add and Use a Custom Secrets Manager

Select Secrets in Scripts at Runtime

Audit Trail

Deployment Freeze

Pipeline Governance

Monitor Deployments in Dashboards

Custom Dashboards Overview

Primary Widgets

Custom Widgets

Filters, Groups, and Tags in Primary and Custom Widgets

Completed Custom Dashboards

Create and Manage Custom Dashboards

Add and Configure Primary Widgets

Add and Configure Custom Widgets

Share a Custom Dashboard

Kubernetes Cluster On-Prem: Infrastructure Requirements

Kubernetes Cluster On-Prem: Kubernetes Cluster Setup

Kubernetes Cluster On-Prem: Add Ingress Controller Service Annotations

Harness On-Prem Support Policy for Kubernetes

Virtual Machine On-Prem: Infrastructure Requirements

Virtual Machine On-Prem: Installation Guide

Virtual Machine On-Prem: Backup and Recovery

On-Prem Component Metrics for Scaling and Management

Harness Disconnected On-Prem Setup

OpenShift Connected On-Prem Setup

Migrate Legacy Connected On-Prem to New KOTS-based Harness On-Prem

Introduction to Harness GraphQL API

Harness API Explorer

API Schema and Structure

Building Applications Using Postman

Trigger Workflows or Pipelines Using GraphQL API

Filter Harness Entities using Harness Tags in the API

Fetch Artifact Source Details Using GraphQL APIs

Use Cloud Providers API

Use Harness Applications API

Use Services API

Use Workflows API

Use Infrastructure Definition API

Use Pipelines API

Resume Pipeline Executions using API

Use Trigger APIs

Fetch Artifact Type Details Using GraphQL APIs

Fetch Deployment Artifact Information using GraphQL APIs

Sync and Clean Up Artifact Stream using the Harness API

Use Users and Groups API

Use Audit Trails API

Use API to Retrieve IDs by Name

Encrypted Text API

Encrypted Files API

SSH Credentials API

WinRM Credentials API

Add Git Connectors Using API

Add a Docker Artifact Source Using API

Add a Nexus Artifact Source Using API

Add a Helm Artifact Source Using the API

Fetch Users By Email Address

Use HashiCorp Vault Secrets Manager API

Deprecated API Features

Leverage Harness GraphQL APIs in Automation Scripts

Harness StartExecution API Deep Dive

Use Tags API

Deploy Helm Charts Using the API

Harness YAML Code Reference

What is a Harness Variable Expression?

Built-in Variables List

Availability and Scope of Harness Variables

Variable Override Priority

JSON and XML Functors

Extracting Characters from Harness Variable Expressions

Serverless Functions Dashboard

Harness Search

Permissions and Ports for Harness Connections

Common Delegate Profile Scripts

Install Workflow Step

Workflow, Phase, and Step Name Restrictions

Select Nodes Workflow Step

Artifact Collection Tech Ref

Artifactory Artifact Sources

Nexus Artifact Sources

Harness Services Technical Reference

Kubernetes Versioning and Annotations

ECS Auto Scaling

What Can I Deploy in Kubernetes?

ECS Rollbacks

Kubernetes Rollback

Verification Event Classifications

Secrets and Log Sanitization

Troubleshooting

Diagnose Git Sync Errors

Deployment Concepts and Strategies

CI/CD with the Build Workflow

Artifact Build and Deploy Pipelines Overview

AWS AMI Deployments Overview

AMI Spotinst Elastigroup Deployments Overview

AWS ECS Deployments Overview

AWS Lambda Deployments Overview

Azure ARM and Blueprint Provisioning with Harness

Azure Kubernetes Service (AKS) Deployments Overview

Native Helm Deployments Overview

IIS (.NET) Deployments Overview

Kubernetes Deployments Overview

Tanzu Application Service Deployment Overview

Terraform Provisioning with Harness

Terragrunt Provisioning with Harness

CloudFormation Provisioning with Harness

Shell Script Provisioning with Harness

Account and Application Templates

Harness HashiCorp Integrations

Traditional Deployments (SSH) Overview

Triggers and RBAC

Cloud Cost Management Overview

Cost Explorer Walkthrough

What Is Continuous Verification (CV)?

Why Perform Continuous Verification?

When Does Harness Verify Deployments?

How Does Harness Perform Continuous Verification?

Who Are Harness' Verification Providers?

Verification Results Overview

Harness Verification Feedback Overview

24/7 Service Guard Overview

CV Strategies, Tuning, and Best Practices

Continuous Verification Metric Types

AppDynamics Verification Overview

Bugsnag Verification Overview

CloudWatch Verification Overview

Datadog Verification Overview

Dynatrace Verification Overview

Elasticsearch Verification Overview

Instana Verification Overview

Google Operations (formerly Stackdriver) Overview

New Relic Verification Overview

Prometheus Verification Overview

Splunk Verification Overview

Sumo Logic Verification Overview

Drone and Harness

What is Secrets Management?

Continuous Deployment FAQs

Cloud Cost Management FAQs

Continuous Verification FAQs

Harness Security FAQs

Harness GraphQL API FAQs

Harness Delegate FAQs

Harness On-Prem Release Notes

Harness SaaS Release Notes

2019-2020 On-Prem Release Notes

Harness SaaS Release Notes Archive (2020)

Harness YouTube Channel

Customer Case Studies

Overview of Harness

Canary Deployment Video

Create an Application and Service Video

Create an Environment Video

Create a Workflow Video

Create a Pipeline Video

Create a Trigger Video

Overview of Continuous Efficiency

Cost Explorer Overview

All Categories > How-to Guides > Account Setup > 2 - Manage Harness Connectors > Add Cloud Providers > Add Amazon Web Services (AWS) Cloud Provider

Add Amazon Web Services (AWS) Cloud Provider

Updated 1 month ago by Chakravarthy Tenneti

AWS is used as a Harness Cloud Provider for obtaining artifacts, deploying services, and for verifying deployments using CloudWatch Verification Overview.

This topic explains how to set up the AWS Cloud Provider, and the IAM roles and policies needed by the AWS account used in the Cloud Provider.

Recommended: Install and run a Harness Delegate (ECS Delegate in an ECS cluster, Shell Script Delegate on an EC2 instance, etc) in the same VPC as the AWS resources you will use, and then use the Delegate for the AWS Cloud Provider credentials. This is the easiest method to connect to AWS. For more information, see Delegate Installation and Management.

In this topic:

Before You Begin
Review: Use Kubernetes Cluster Cloud Provider for EKS
Review: Switching IAM Policies
Step 1: Add the Cloud Provider
Step 2: Display Name
Step 3: Credentials
Review: AWS Security Token Service (STS)
Review: AWS GovCloud and Override Default Region
Review: AWS IAM Roles and Policies
All AWS Cloud Providers: DescribeRegions Required
Policies Required: Elastic Container Registry (ECR)
Policies Required: Amazon S3
Policies Required: ECS (Existing Cluster)
Policies Required: AWS AMI/ASG Deployments
Policies Required: AWS CodeDeploy
Policies Required: AWS EC2
Policies Required: Amazon Lambda

Before You Begin

See Harness Key Concepts.

Review: Use Kubernetes Cluster Cloud Provider for EKS

If you want to connect Harness to Elastic Kubernetes Service (Amazon EKS), use the platform-agnostic Kubernetes Cluster Cloud Provider.

Review: Switching IAM Policies

If the IAM role used by your AWS Cloud Provider does not have the policies required by the AWS service you want to access, you can modify or switch the role.

This entails changing the role assigned to the AWS account or Harness Delegate your AWS Cloud Provider is using.

When you switch or modify the IAM role used by the Cloud Provider, it might take up to 5 minutes to take effect.

Step 1: Add the Cloud Provider

To add a cloud provider to your Harness account, do the following:

Click Setup, and then click Cloud Providers.
Click Add Cloud Provider and select Amazon Web Services.

The Add Amazon Web Services Cloud Provider panel appears.

Step 2: Display Name

Choose a name for this provider. This is to differentiate AWS providers in Harness. It is not the actual AWS account name.

Step 3: Credentials

Ensure that the AWS IAM roles applied to the credentials you use (the Harness Delegate or the access key) includes the policies needed by Harness to deploy to the target AWS service. See Review: AWS Permissions below.

Assume the IAM Role on Delegate

This is the recommended method.

If you selected Assume the IAM Role on Delegate, in Delegate Selector, enter the Selector of the Delegate that this Cloud Provider will use for all connections. For information about Selectors, see Select Delegates for Specific Tasks with Selectors.

Presently, Harness does not support Assume the IAM Role of the Delegate with the Download Artifact command in a Harness Service. If you are using Download Artifact, use the Access and Secret Key settings in the AWS Cloud Provider.

Enter AWS Access Keys manually

If you selected Enter AWS Access Keys manually, enter your Access Key and your Secret Key.

For secrets and other sensitive settings, select or create a new Harness Encrypted Text secret.

For more information, see Access Keys (Access Key ID and Secret Access Key) from AWS.

The AWS IAM Policy Simulator is a useful tool for evaluating policies and access.

Use IRSA (IAM roles for service accounts)

Select Use IRSA if you want to have the Harness Kubernetes Delegate in AWS EKS use a specific IAM role when making authenticated requests to resources.

By default, the Harness Kubernetes Delegate uses a ClusterRoleBinding to the default service account. Instead, you can use AWS IAM roles for service accounts (IRSA) to associate a specific IAM role with the service account used by the Harness Kubernetes Delegate.

See IAM roles for service accounts from AWS.

Setting up this feature requires a few more steps than other methods, but it is a simple process.

The following steps are for a new Delegate installation and new AWS Cloud Provider. If you updating an existing Delegate and AWS Cloud Provider, you can simply edit the Delegate YAML for your existing Delegate as described below, and select the Use IRSA option in your AWS Cloud Provider.

Create the IAM role with the policies you want the Delegate to use. The policies you select with depend on what AWS resources you are deploying via the Delegate. See the different Policies Required sections in this document.
In the cluster where the Delegate will be installed, create a service account and attach the IAM role to it.

Here is an example of how to create a new service account in the cluster where you will install the Delegate and attach the IAM policy to it:

eksctl create iamserviceaccount \
    --name=cdp-admin \
    --namespace=default \
    --cluster=test-eks \
    --attach-policy-arn=<policy-arn> \
    --approve \
    --override-existing-serviceaccounts —region=us-east-1

In Harness, download the Harness Kubernetes Delegate YAML file. See Install the Harness Kubernetes Delegate.
Open the Delegate YAML file in text editor.
Add service account with access to IAM role to Delegate YAML.

There are two sections in the Delegate YAML that you must update.

First, update the ClusterRoleBinding by adding replacing the subject name default with the name of the service account with the attached IAM role.

Old ClusterRoleBinding:

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: harness-delegate-cluster-admin
subjects:
  - kind: ServiceAccount
    name: default
    namespace: harness-delegate
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
---

New ClusterRoleBinding (for example, using the name iamserviceaccount):

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: harness-delegate-cluster-admin
subjects:
  - kind: ServiceAccount
    name: iamserviceaccount
    namespace: default
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
---

Next, update StatefulSet spec with the new serviceAccountName.

Old StatefulSet spec serviceAccountName:

...
    spec:
      containers:
      - image: harness/delegate:latest
        imagePullPolicy: Always
        name: harness-delegate-instance
        ports:
          - containerPort: 8080
...

New StatefulSet spec serviceAccountName (for example, using the name iamserviceaccount):

...
    spec:
      serviceAccountName: iamserviceaccount
      containers:
      - image: harness/delegate:latest
        imagePullPolicy: Always
        name: harness-delegate-instance
        ports:
          - containerPort: 8080
...

Save the Delegate YAML file.
Install the Delegate in your EKS cluster and register the Delegate with Harness. See Install the Harness Kubernetes Delegate.

When you install the Delegate in the cluster, the serviceAccount you added is used and the environment variables AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE are added automatically by EKS.

Create a new AWS Cloud Provider.
In Credentials, select Use IRSA.
In Delegate Selector, select the Delegate you used.
Click Test to verify the Delegate credentials.

Review: AWS Security Token Service (STS)

Assume STS Role is supported for EC2 and ECS. It is supported for EKS if you use the IRSA option, described above.

If you want to use one AWS account for the connection, but you want to deploy in a different AWS account, use the Assume STS Role option. This option uses the AWS Security Token Service (STS) feature.

In this scenario, the AWS account used for AWS access in Credentials will assume the IAM role you specify in Role ARN setting.

The Harness Delegate(s) always runs in the account you specify in Credentials via Access/Secret Key or Assume IAM Role on Delegate.

To assume the role in Role ARN, the AWS account in Credentials must be trusted by the role. The trust relationship is defined in the Role ARN role's trust policy when the role is created. That trust policy states which accounts are allowed to give that access to users in the account.

You can use Assume STS Role to establish trust between roles in the same account, but cross-account trust is more common.

The assumed role in Role ARN must have all the IAM policies required to perform your Harness deployment, such as Amazon S3, ECS (Existing Cluster), and AWS EC2 policies. For more information, see Assuming an IAM Role in the AWS CLI from AWS.

To use AWS Security Token Service (STS) for cross-account access, do the following:

Select the Assume STS Role option.
In Role ARN, enter the Amazon Resource Name (ARN) of the role that you want to assume. This is an IAM role in the target deployment AWS account.
(Optional) In External ID, if the administrator of the account to which the role belongs provided you with an external ID, then enter that value. For more information, see How to Use an External ID When Granting Access to Your AWS Resources to a Third Party from AWS.

The AWS IAM Policy Simulator is a useful tool for evaluating policies and access.

Review: AWS GovCloud and Override Default Region

Currently, this feature is behind a Feature Flag. Contact Harness Support to enable the feature. Feature Flags can only be removed for Harness Professional and Essentials editions. Once the feature is released to a general audience, it is available for Trial and Community Editions.

By default, Harness uses the us-east-1 region to test the credentials for the Cloud Provider.

If you want to use an AWS GovCloud account for this Cloud Provider, use the Override Default Region option.

In Region, select the GovCloud region you want to use.

GovCloud is used by organizations such as government agencies at the federal, state, and local level, as well as contractors, educational institutions. It is also used for regulatory compliance with these organizations.

Restrictions

You can access AWS GovCloud with AWS GovCloud credentials (AWS GovCloud account access key and AWS GovCloud IAM user credentials).

You cannot access AWS GovCloud with standard AWS credentials. Likewise, you cannot access standard AWS regions using AWS GovCloud credentials.

Review: AWS IAM Roles and Policies

The AWS role policy requirements depend on what AWS services you are using for your artifacts and target infrastructure (ECR, S3, EC2, ECS, etc).

In this topic, we have called out the deployment scenario, such as Lambda and AMI deployments.

Here are the user and access type requirements that you need to consider.

User: Harness requires the IAM user be able to make API requests to AWS. For more information, see Creating an IAM User in Your AWS Account from AWS.

User Access Type: Programmatic access. This enables an access key ID and secret access key for the AWS API, CLI, SDK, and other development tools.

As described below, DescribeRegions is required for all AWS Cloud Provider connections.

All AWS Cloud Providers: DescribeRegions Required

The DescribeRegions action is required for all AWS Cloud Providers regardless of what AWS service you are using for your target infrastructure.

Harness needs a policy with the DescribeRegions action so that it can list the available regions for you when you define your target architecture.

Create a Customer Managed Policy, add the DescribeRegions action to list those regions, and add that to any role used by the Cloud Provider.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:DescribeRegions",
            "Resource": "*"
        }
    ]
}

Policies Required: Elastic Container Registry (ECR)

Policy Name:AmazonEC2ContainerRegistryReadOnly.

Policy ARN: arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly.

Description: Provides read-only access to Amazon EC2 Container Registry repositories.

Policy JSON:

{
  "Version": "2012-10-17",
  "Statement": [
      {
              "Effect": "Allow",
              "Action": [
                  "ecr:GetAuthorizationToken",
                  "ecr:BatchCheckLayerAvailability",
                  "ecr:GetDownloadUrlForLayer",
                  "ecr:GetRepositoryPolicy",
                  "ecr:DescribeRepositories",
                  "ecr:ListImages",
                  "ecr:DescribeImages",
                  "ecr:BatchGetImage"
              ],
              "Resource": "*"
      }
  ]
}

Policies Required: Amazon S3

There are two policies required:

The Managed Policy AmazonS3ReadOnlyAccess.
The Customer Managed Policy you create using ec2:DescribeRegions.

The AWS IAM Policy Simulator is a useful tool for evaluating policies and access.

Policy Name: AmazonS3ReadOnlyAccess.

Policy ARN: arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess.

Description: Provides read-only access to all buckets via the AWS Management Console.

Policy JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "*"
    }
  ]
}

Policy Name: HarnessS3.

Description: Harness S3 policy that uses EC2 permissions. This is a customer-managed policy you must create. In this example we have named it HarnessS3.

Policy JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:DescribeRegions",
            "Resource": "*"
        }
    ]
}

If you want to use an S3 bucket that is in a separate account than the account used to set up the AWS Cloud Provider, you can grant cross-account bucket access. For more information, see Bucket Owner Granting Cross-Account Bucket Permissions from AWS.

Policies Required: ECS (Existing Cluster)

Recommended: Install and run the Harness ECS Delegate in the ECS cluster, and then use the AWS Cloud Provider to connect to that cluster using the Harness ECS Delegate you installed. This is the easiest method to connect to a ECS cluster. For more information, see Installation Example: Amazon Web Services and ECS.

Ensure that you add the IAM roles and policies to your ECS cluster when you create it. You cannot add the IAM roles and policies to an existing ECS cluster. You can add policies to whatever role is already assigned to an existing ECS cluster.

In addition to the default ECS role, ecsInstanceRole, these policies are required:

The Managed Policy AmazonEC2ContainerServiceforEC2Role from AWS.
The Managed Policy AmazonEC2ContainerServiceRole from AWS.
The Customer Managed Policy you create using Application Auto Scaling.

Attach these policies to the ecsInstanceRole role, and apply that to your ECS cluster when you create it. For information on ecsInstanceRole, see Amazon ECS Instance Role from AWS.

The AWS IAM Policy Simulator is a useful tool for evaluating policies and access.

ELB, ALB, and ECS

Policy Name: AmazonEC2ContainerServiceforEC2Role.

Policy ARN: arn:aws:iam::aws:policy/AmazonEC2ContainerServiceforEC2Role.

Description: Makes calls to the Amazon ECS API. For more information, see Amazon ECS Container Instance IAM Role from AWS.

Policy JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:CreateCluster",
                "ecs:DeregisterContainerInstance",
                "ecs:DiscoverPollEndpoint",
                "ecs:Poll",
                "ecs:RegisterContainerInstance",
                "ecs:StartTelemetrySession",
                "ecs:UpdateContainerInstancesState",
                "ecs:Submit*",
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

Policy Name: AmazonEC2ContainerServiceRole.

Policy ARN: arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole.

Description: Default policy for Amazon ECS service role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:Describe*",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                "elasticloadbalancing:DeregisterTargets",
                "elasticloadbalancing:Describe*",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "elasticloadbalancing:RegisterTargets"
            ],
            "Resource": "*"
        }
    ]
}

Policy Name: HarnessECS.

Description: Harness ECS policy. This is a customer-managed policy you must create. In this example we have named it HarnessECS.

Policy JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:DescribeRepositories",
                "ecs:ListClusters",
                "ecs:ListServices",
                "ecs:DescribeServices",
                "ecr:ListImages",
                "ecs:RegisterTaskDefinition",
                "ecs:CreateService",
                "ecs:ListTasks",
                "ecs:DescribeTasks",
                "ecs:DeleteService",
                "ecs:UpdateService",
                "ecs:DescribeContainerInstances",
                "ecs:DescribeTaskDefinition",
                "application-autoscaling:DescribeScalableTargets",
                "iam:ListRoles",
                "iam:PassRole"
            ],
            "Resource": "*"
        }
    ]
}

Notes

There is a limit on how many policies you can attach to a IAM role. If you exceed the limit, copy the permissions JSON under Action, create a single custom policy, and add them to the policy.
Due to an AWS limitation, Harness is unable to limit the three actions for ECS to Create, Update, and DeleteService for just a specific cluster/resource. This limitation is why we require Resource *.
ECS with Public Docker Registry: All ECS permissions are required.
ECS with Private Docker Registry: All ECS permissions are required. Also, the Docker agent on the container host should be configured to authenticate with the private registry. Please refer to AWS documentation here.
ECS with ECR: For ECS and ECR, all permissions are required.
ECS with GCR: This is currently not supported.

Auto Scaling with ECS

For Auto Scaling, the AWS Managed policy AWSApplicationAutoscalingECSServicePolicy should be attached to the default ecsInstanceRole role, and applied to your ECS cluster when you create it.

For information on AWSApplicationAutoscalingECSServicePolicy, see Amazon ECS Service Auto Scaling IAM Role from AWS. For information on ecsInstanceRole, see Amazon ECS Instance Role from AWS.

Policy Name: AWSApplicationAutoscalingECSServicePolicy.

Policy ARN: arn:aws:iam::aws:policy/AWSApplicationAutoscalingECSServicePolicy.

Description: Describes your CloudWatch alarms and registered services, as well as permissions to update your Amazon ECS service's desired count on your behalf.

Policy JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeServices",
                "ecs:UpdateService",
                "cloudwatch:PutMetricAlarm",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DeleteAlarms"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Policies Required: AWS AMI/ASG Deployments

For details on these deployments, see AWS AMI Quickstart and AMI How-tos.

Provisioned and Static Hosts

Policy Name: AmazonEC2FullAccess.

Policy ARN: arn:aws:iam::aws:policy/AmazonEC2FullAccess.

Description: Provides full access to Amazon EC2 via the AWS Management Console.

Policy JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "ec2:*",
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "elasticloadbalancing:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "cloudwatch:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "autoscaling:*",
      "Resource": "*"
    }
  ]
}

Tagging

AMI Blue/Green deployments require AWS tags. Please create the following custom policy and apply it to the IAM role used by the AWS Cloud Provider (access key or IAM role applied to the Harness Delegate).

This is a customer managed policy. Here we call it HarnessAmiTagging.

Policy Name: HarnessAmiTagging.

Description: Enables AWS tagging for Harness AMI Blue/Green deployments.

Policy JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:CreateOrUpdateTags",
        "autoscaling:DeleteTags",
        "autoscaling:DescribeTags"
      ],
      "Resource": "*"
    }
  ]
}

Policies Required: AWS CodeDeploy

The AWS IAM Policy Simulator is a useful tool for evaluating policies and access.

There are two policies required: AWSCodeDeployRole and AWSCodeDeployDeployerAccess.

Policy Name: AWSCodeDeployRole.

Policy ARN: arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole.

Description: Provides CodeDeploy service access to expand tags and interact with Auto Scaling on your behalf.

Policy JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:CompleteLifecycleAction",
        "autoscaling:DeleteLifecycleHook",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribeLifecycleHooks",
        "autoscaling:PutLifecycleHook",
        "autoscaling:RecordLifecycleActionHeartbeat",
        "autoscaling:CreateAutoScalingGroup",
        "autoscaling:UpdateAutoScalingGroup",
        "autoscaling:EnableMetricsCollection",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribePolicies",
        "autoscaling:DescribeScheduledActions",
        "autoscaling:DescribeNotificationConfigurations",
        "autoscaling:DescribeLifecycleHooks",
        "autoscaling:SuspendProcesses",
        "autoscaling:ResumeProcesses",
        "autoscaling:AttachLoadBalancers",
        "autoscaling:PutScalingPolicy",
        "autoscaling:PutScheduledUpdateGroupAction",
        "autoscaling:PutNotificationConfiguration",
        "autoscaling:PutLifecycleHook",
        "autoscaling:DescribeScalingActivities",
        "autoscaling:DeleteAutoScalingGroup",
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus",
        "ec2:TerminateInstances",
        "tag:GetTags",
        "tag:GetResources",
        "sns:Publish",
        "cloudwatch:DescribeAlarms",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeInstanceHealth",
        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeTargetHealth",
        "elasticloadbalancing:RegisterTargets",
        "elasticloadbalancing:DeregisterTargets"
      ],
      "Resource": "*"
    }
  ]
}

Policy Name: AWSCodeDeployDeployerAccess.

Policy ARN: arn:aws:iam::aws:policy/AWSCodeDeployDeployerAccess.

Description: Provides access to register and deploy a revision.

Policy JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "codedeploy:Batch*",
        "codedeploy:CreateDeployment",
        "codedeploy:Get*",
        "codedeploy:List*",
        "codedeploy:RegisterApplicationRevision"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Policies Required: AWS EC2

The AWS IAM Policy Simulator is a useful tool for evaluating policies and access.

Provisioned and Static Hosts

Policy Name: AmazonEC2FullAccess.

Policy ARN: arn:aws:iam::aws:policy/AmazonEC2FullAccess.

Description: Provides full access to Amazon EC2 via the AWS Management Console.

Policy JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "ec2:*",
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "elasticloadbalancing:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "cloudwatch:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "autoscaling:*",
      "Resource": "*"
    }
  ]
}

Trusted entities

Newly created roles under Amazon EC2 have trusted entities listed as ec2.amazonaws.com. For ECS, this needs to be updated with ecs.amazonaws.com. See the AWS documentation at Amazon ECS Service Scheduler IAM Role.

Policies Required: Amazon Lambda

The IAM role attached to your Delegate host (either an EC2 instance or ECS Task) must have the AWSLambdaRole policy attached. The policy contains the lambda:InvokeFunction needed for Lambda deployments.

For details on connecting Lambda with S3 across AWS accounts, see How do I allow my Lambda execution role to access my Amazon S3 bucket? from AWS.

Policy Name: AWSLambdaRole.

Policy ARN: arn:aws:iam::aws:policy/service-role/AWSLambdaRole.

Description: Default policy for AWS Lambda service role.

Policy JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

For more information, see Identity-based IAM Policies for AWS Lambda from AWS.

Ensure that the IAM role assigned to the Delegate has the IAMReadOnlyAccess (arn:aws:iam::aws:policy/IAMReadOnlyAccess) policy attached. This enables Harness to ensure that AWSLambdaRole policy is attached.

Add Amazon Web Services (AWS) Cloud Provider

Before You Begin

Review: Use Kubernetes Cluster Cloud Provider for EKS

Review: Switching IAM Policies

Step 1: Add the Cloud Provider

Step 2: Display Name

Step 3: Credentials

Assume the IAM Role on Delegate

Enter AWS Access Keys manually

Use IRSA (IAM roles for service accounts)

Review: AWS Security Token Service (STS)

Review: AWS GovCloud and Override Default Region

Restrictions

Review: AWS IAM Roles and Policies

All AWS Cloud Providers: DescribeRegions Required

Policies Required: Elastic Container Registry (ECR)

Policies Required: Amazon S3

Policies Required: ECS (Existing Cluster)

ELB, ALB, and ECS

Notes

Auto Scaling with ECS

Policies Required: AWS AMI/ASG Deployments

Provisioned and Static Hosts

Tagging

Policies Required: AWS CodeDeploy

Policies Required: AWS EC2

Provisioned and Static Hosts

Trusted entities

Policies Required: Amazon Lambda

How did we do?

Related Articles 2 - ECS Connectors and Providers Setup Add Physical Data Center as Cloud Provider Add Cloud Providers

Feedback

Related Articles

2 - ECS Connectors and Providers Setup

Add Physical Data Center as Cloud Provider

Add Cloud Providers