Adding Accounts (Multi-Account)

What is Fugue’s Multi-Account Feature?

Fugue’s multi-account feature allows you to seamlessly define, provision, and enforce cloud infrastructure across multiple Amazon Web Services (AWS) accounts using a single Fugue Conductor. By keeping the Conductor in one centralized account, you can manage processes in other accounts. This is simpler and more cost-effective than installing a Conductor in each account you want to deploy infrastructure in.

Currently, the Basic Conductor is limited to two AWS accounts, including the Conductor account. If you’re interested in using more accounts, reach out to support@fugue.co to discuss the Team Conductor.

How It Works

Fugue uses IAM roles to authenticate with the AWS API, so your AWS credentials are not stored on the Conductor. Instead, you create an IAM role in the target account and configure it for cross-account access, then pass that role’s ARN to Fugue using the account command. Fugue adds the account to an account table, hosted in Vars, where the ARN is encrypted using AWS’s Key Management Service (KMS) and key wrapping (see also credstash).

The Conductor account is considered the default account. If you’ve been running your processes in the same account the Conductor is in, you can continue to do so without making any changes. When no --account parameter is specified, run launches processes in the default (Conductor) account. Once you have configured and added the new account, you can run a process in that account by using the --account option with run.

You can use the status command with the --account parameter to see only the processes inside a particular account. See Checking status of processes running in a given account for more details.

Once a process is launched, it is bound to the account in which it ran, so there is no need to specify the account when you execute any other command manipulating the process. Fugue already knows which account it’s in, so usage of suspend, resume, update, kill, etc., is unchanged.

Use Cases

Say you have 50 clients for whom you manage AWS infrastructure. Rather than installing a Conductor into each client’s account – 50 Conductors! – you can use just one Conductor to manage the infrastructure across all of your clients’ accounts. Your infrastructure management becomes greatly simplified. It’s a scalable and cost-effective solution.

Or, if you have a CI/CD system in one account (build), and configure it to deploy in a separate account (web), you can run the Conductor in the build account and deploy, manage, and maintain processes in the web account.

Best Practices

Keep the Conductor in a Separate Account

We recommend keeping the Conductor in a separate account as a best practice.

  • It promotes security. Because the Conductor relies on AWS services for parts of its core functionality, a malicious user with IAM permissions to those services can act destructively. We recommend keeping the Conductor in a separate account, and only giving users access to the account if they need to work with Fugue, in accordance with the security principle of least privilege.
  • It promotes a cleaner separation of costs. Keeping the Conductor account separate from the account in which your processes run allows you to see a more accurate billing picture, because you can see Conductor costs separately from process costs.

Kill or Release Processes Before Removing Their Account

If you try to remove an account while there are processes running inside of it, you’ll see an error:

[ ERROR ] Could not remove account.
 Reason: 400, AccountDeleteError: Cannot delete accounts with running processes

So, before you remove an account, release the process if you want to preserve the infrastructure, or kill the process if you want to terminate the infrastructure.

IAM Roles Must Be In Different Accounts

AWS accounts added to Fugue must have unique AWS account IDs, so you cannot create multiple IAM roles in the same AWS account and try to add them as separate Fugue accounts.