Skip to main content
Version: Cloud

AWS marketplace

Deeploy can be purchased via the AWS marketplace. To investigate if this option is beneficial for your organization check the AWS Marketplace buyer guide.

The most common way to purchase Deeploy via the AWS marketplace is with a private offer. Contact us to receive a personalized offer. Alternatively Deeploy offers two standard container products with monthly or usage based pricing. See the AWS marketplace listings for more information.

AWS marketplace configuration

For Deeploy AWS Marketplace customers, it is important to allow the AWS Marketplace to register the usage of the Deeploy software. Please note that the article assumes you have already completed the steps for the required Deeploy AWS cloud resources. We advice to use a single role to access all AWS resources from the EKS cluster.

1. Attach policies

Attach policies to the role required by the AWS Marketplace.

AWS Managed Policies:

  • AWSMarketplaceMeteringRegisterUsage

2. IAM OIDC provider

If you did not enable this yet, create an IAM OIDC provider for the EKS cluster.

Make sure to check if the OpenID Connect Provider URL matches with your Cluster (details in EKS configuration)

aws iam list-open-id-connect-providers | grep <EXAMPLED539D4633E53DE1B716D3041E>

3. Create trusted entity

Create a Trusted Entity for the AWS Role. For this step, use the technical overview of IAM roles for service accounts docs.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/<OIDC_PROVIDER>"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "<OIDC_PROVIDER>:sub": "system:serviceaccount:deeploy:*"
        }
      }
    }
  ]
}

The snippet above assumes you run Deeploy in te default deeploy namespace.

4. IAM role for Kubernetes service accounts

Allow pods to assume your role. By providing the role for the key license.aws.trustedIamRoleArn in the Deeploy values during the installation, the relevant Kubernetes service accounts will be automatically annotated.