Adding Accounts (Multi-Account)¶
What is Fugue’s Multi-Account Feature?¶
Fugue’s multi-account feature allows you to seamlessly define, provision, and enforce cloud infrastructure across multiple Amazon Web Services (AWS) accounts using a single Fugue Conductor. By keeping the Conductor in one centralized account, you can manage processes in other accounts. This is simpler and more cost-effective than installing a Conductor in each account you want to deploy infrastructure in.
How It Works¶
Fugue uses IAM roles to authenticate with the AWS API, so your AWS credentials are not stored on the Conductor. Instead, you create an IAM role in the target account and configure it for cross-account access, then pass that role’s ARN to Fugue using the account command. Fugue adds the account to an account table, hosted in Vars, where the ARN is encrypted using AWS’s Key Management Service (KMS) and key wrapping (see also credstash).
The Conductor account is considered the
default account. If you’ve
been running your processes in the same account the Conductor is in, you
can continue to do so without making any changes. When no
parameter is specified,
run launches processes in the default
(Conductor) account. Once you have
configured and added the new account,
you can run a process in that
account by using the
--account option with
You can use the
status command with the
--account parameter to
see only the processes inside a particular account. See
Checking status of processes running in a given account for more details.
Once a process is launched, it is bound to the account in which it ran, so there is no need to specify the account when you execute any other command manipulating the process. Fugue already knows which account it’s in, so usage of suspend, resume, update, kill, etc., is unchanged.
Say you have 50 clients for whom you manage AWS infrastructure. Rather than installing a Conductor into each client’s account – 50 Conductors! – you can use just one Conductor to manage the infrastructure across all of your clients’ accounts. Your infrastructure management becomes greatly simplified. It’s a scalable and cost-effective solution.
Or, if you have a CI/CD system in one account (build), and configure it to deploy in a separate account (web), you can run the Conductor in the build account and deploy, manage, and maintain processes in the web account.
Keep the Conductor in a Separate Account¶
We recommend keeping the Conductor in a separate account as a best practice.
- It promotes security. Because the Conductor relies on AWS services for parts of its core functionality, a malicious user with IAM permissions to those services can act destructively. We recommend keeping the Conductor in a separate account, and only giving users access to the account if they need to work with Fugue, in accordance with the security principle of least privilege.
- It promotes a cleaner separation of costs. Keeping the Conductor account separate from the account in which your processes run allows you to see a more accurate billing picture, because you can see Conductor costs separately from process costs.
Kill or Release Processes Before Removing Their Account¶
If you try to remove an account while there are processes running inside of it, you’ll see an error:
[ ERROR ] Could not remove account. Reason: 400, AccountDeleteError: Cannot delete accounts with running processes
IAM Roles Must Be In Different Accounts¶
The AWS account where the Conductor is installed is the default account. While each AWS account may contain multiple IAM roles, one Fugue account corresponds to one AWS account/ID.