Create Deploy Target

Configure an account for use with OpsCanvas.


A deploy target represents a cloud account owned by your organization. As a best practice you should create two sub-accounts in your AWS Organization, one for lower (non-prod) environments, and the other for prod environments. This provides security by giving making it easy to independently control access to production environments and the data they contain.

OpsCanvas provides a script that will use your credentials to create an IAM role, OpsCanvas-Deploy-Role in the selected AWS account. This role will include a number of permissions that the OpsCanvas platform uses to manage resources, and grants a trust to a role, OpsCanvas-Deploy-Principal, in OpsCanvas' aws account. Whenever deployment operations are performed, the deploy principal role will assume the configured deploy role to perform those operations.

This ensures that OpsCanvas can only act on the account configured as a Deploy Target. Further, your org has complete visibility into all of the actions that OpsCanvas takes via CloudTrail.

Create the first deploy target

The first time you attempt to deploy an application, no deploy targets have been configured. Instead you will see a link to Create Deploy Target

Click on the link to view information on how to launch the script

OpsCanvas assumes you can download and run the script in a unix-like environment (e.g. WSL for windows). After downloading the script and making it executable execute it with the command ./

Running the script

The environment in which the script is run must have version 2.9 or greater of the CLI from AWS installed, as well as the command line utility JQ.

When the script runs it uses the command aws configure list-profiles to list accounts that are can be deployed into. You can use the cli to create either default or named profiles:

  • To create a default profile use aws configure

  • To create a named profile use aws configure --profile <name>

The script will list all profiles configured in the environment, so if you need to set up a profile it's best to give it a meaningful name.

Select a profile by entering it's number and pressing enter. Then the script will validate the selected account.

After validation succeeds you will be prompted to name the deploy target. This is how the target will be shown in the OpsCanvas UI (prefixed with aws:).

After providing a name, press enter to continue or Ctl-C to exit. Once you press enter, the script will make changes to the selected AWS account.

You will see output in the window as the script performs the following actions:

  • Create the OpsCanvas-Deploy-Role role in your account.

  • Create a set of named policies in your account that will be associated with the deploy role.

  • Associate the the new policies with the deploy role.

  • Send the following information back to OpsCanvas.

    • the selected aws account id

    • the deploy role arn

    • the deploy role name

    • the external id associated with the trust from the new role to the OpsCanvas Deploy Principal role

    • the deploy target label

At this point, the deploy target should be created and associated with the role, and you can return to the deploy screen and see it in the deploy target drop down.

Creating subsequent deploy targets

The install script can only be run to completion one time. To install subsequent deploy targets, use the link in the deploy configuration screen to get a link to a new installation script.

Last updated