AWS Setup

Connect your AWS account to Galleon so it can deploy and monitor applications on your behalf.

One-Click Setup

1. From Galleon's Settings page (or during the onboarding wizard), enter your 12-digit AWS Account ID.
2. Click Connect via AWS Quick Create. This opens the AWS CloudFormation console in a new tab with a pre-filled template.
3. Review the stack parameters and click Create stack in your AWS account.
4. Return to Galleon. It polls your account until the stack finishes creating, then shows an Active status on the connection.

No manual IAM configuration, no access keys to copy.

What Gets Provisioned

The CloudFormation template creates three resources in your account:

GalleonAccessRole

A read-only IAM role that Galleon assumes to monitor your deployments:

• Read CloudWatch Logs for deployment output
• Describe ECS services
• Describe CloudFormation stacks
• Clean up resources during infrastructure teardown

GalleonDeployerRole

An IAM role used by GitHub Actions via OIDC federation to provision and manage infrastructure:

• Create and manage Lambda functions, S3 buckets, and CloudFront distributions
• Manage ECS services and ECR repositories
• Create and manage IAM roles, VPCs, and load balancers
• All resources are scoped to the galleon-* name prefix

GitHub OIDC Provider

If your account does not already have one, the template creates an IAM OIDC provider for GitHub Actions. This enables GitHub Actions workflows to authenticate with AWS using short-lived tokens instead of stored credentials.

Security Model

• Cross-account access -- Galleon assumes roles in your account using AWS STS with an ExternalId for confused deputy protection.
• Scoped permissions -- The deployer role can only manage resources prefixed with galleon-*.
• No stored credentials -- GitHub Actions authenticates via OIDC federation, not long-lived access keys.
• Your data stays yours -- Galleon never stores your application code or AWS credentials.

Validating Your Connection

1. Navigate to your project's AWS Connections settings.
2. Click Validate next to the connection.
3. Galleon will attempt to assume the role and confirm permissions.

Connection status progresses through: Pending Setup --> Active --> Validated.

Troubleshooting

Stack creation failed -- Verify that your AWS account has permission to create IAM roles and OIDC providers. Check the CloudFormation Events tab in the AWS console for the specific error.

Validation failed -- Confirm the CloudFormation stack completed successfully in your AWS console. The stack status should show CREATE_COMPLETE.

Connection error -- Double-check that the AWS Account ID entered in Galleon matches the account where you created the stack.

Removing the Connection

1. Delete the connection from Galleon's AWS Connections settings.
2. Optionally, delete the CloudFormation stack from your AWS console to remove all provisioned IAM roles and the OIDC provider.

Deleting the Galleon connection does not automatically remove the CloudFormation stack from your account.

Next Steps

• Quickstart -- Deploy your first application
• Deployments -- Blue-green deploys and rollback strategies