Skip to main content

AWS Marketplace

This guide is for users who have opted to purchase the Spotify Plugins for Backstage through AWS Marketplace. If you have purchased the plugins directly through our sales team, please refer to the Spotify for Backstage guide.

Overview

Our Spotify Plugins for Backstage product listing on AWS Marketplace comes with the Quick Launch deployment option. Quick Launch is a one-click solution that allows us to provision and host a portion of our SaaS product in your AWS account. This a requirement for all SaaS products listed on AWS Marketplace.

When you select this deployment option, the accompanying AWS CloudFormation template will automatically provision several AWS resources:

  • Secrets Manager Secret: Stores your license key in AWS.
  • Lambda Function: Manages the retrieval and handling of your license key secret, returning it in the form of a YAML configuration object.
  • API Gateway: Serves as the front-facing interface for the Lambda function, allowing secure HTTP access to the function's output.
  • IAM Roles and Policies: Ensures secure access to specific resources required by the Lambda function and API Gateway.

You will use these resources to configure your app-config*.yaml for Spotify Plugins for Backstage. If your AWS environment doesn't support this automated setup, you can instead follow the Spotify for Backstage guide once you have your license key.

AWS Marketplace: Configure and Launch

Step 1: Make sure you have required AWS permissions

Before initiating the Quick Launch deployment, confirm that your AWS account has the appropriate permissions to create and manage resources via CloudFormation. Use this sample policy as a starting point while accounting for the security guidelines set by your organization.

Sample Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:DELETE",
"apigateway:GET",
"apigateway:PATCH",
"apigateway:POST",
"apigateway:PUT",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ListStacks",
"cloudformation:UpdateStack",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:TagRole",
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:RemovePermission",
"lambda:TagResource",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:TagResource",
"s3:*"
],
"Resource": "*"
}
]
}

Step 2: Log into an existing or new vendor account

Click "Log in or create an account" to be redirected to backstage.spotify.com. You will need to create an account and an organization if you don't already have one. This registration process connects your AWS account to your Spotify for Backstage organization.

Once you connect your AWS account, we will generate a new license key for this product. If you already have a license key and have started a new subscription through AWS Marketplace, we will update your existing license key to match your subscription end date. All current and future license keys can be accessed via the products page on backstage.spotify.com.

note

Creating a license key may take a day or two. You may pause and return to this process later if necessary.

Step 3: Configure your software and AWS integration

Once you have your license key, navigate back to your Spotify Plugins for Backstage subscription in AWS Marketplace. Finish setting up your product by continuing with the Quick Launch deployment. Click "Launch template" and follow the instructions to configure your CloudFormation stack.

Step 4: Launch your software

Once your CloudFormation stack has been created successfully, you will need to configure access to the API Gateway resource. By default, the CloudFormation template secures it with the AWS_IAM authorization type.

With AWS_IAM Authorization

Create an IAM policy that grants access to the API Gateway. Attach this policy to the IAM roles of the users or systems that need to interact with the API Gateway, namely those setting up the Backstage instance.

Here is a sample policy allowing execute-api:Invoke:

Sample Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:REGION:ACCOUNT_ID:API_ID/*"
}
]
}

Without AWS_IAM Authorization

Optionally, you may choose to remove the authorization type to make the API Gateway publicly accessible. Making your API Gateway publicly accessible runs the risk of exposing your license key to anyone with the API Gateway URL. If you notice unauthorized use of your license key as a result of this, submit a ticket via the support page at backstage.spotify.com, and we will issue you a new one.

If you wish to proceed, you will need to manually remove the authorization type through the API Gateway console. Re-deploy the API Gateway to propagate those changes.

note

Clicking "Launch software" in this step will take you to this documentation website. At this point, you can close the AWS Marketplace and continue with the next step.

License Key Setup

The way you set up your license key in your Backstage instance depends on your choice of API Gateway authorization.

With AWS_IAM Authorization

Open your Backstage repository in a new terminal, and use the AWS CLI to invoke the API Gateway. This will return a YAML configuration object with your license key and save the response to a file:

aws apigateway test-invoke-method --profile PROFILE_ID --rest-api-id REST_API_ID --resource-id RESOURCE_ID --http-method GET --query 'body' --output yaml > app-config.aws.yaml

Then, start your application:

yarn start --config path/to/app-config.yaml --config path/to/app-config.staging.yaml --config path/to/app-config.aws.yaml

Without AWS_IAM Authorization

Directly incorporate the API Gateway URL into your startup command:

yarn start --config path/to/app-config.yaml --config path/to/app-config.staging.yaml --config API_GATEWAY_URL

Learn more about using multiple configuration files in Backstage: Writing Backstage Configuration Files.

License Key Validation

To enable online license key validation, verify that your Backstage instance can access backstage-api.spotify.com. You can use a tool like NetCat to check the connection:

$ nc -vz backstage-api.spotify.com 443
Connection to backstage-api.spotify.com 443 port [tcp/https] succeeded!

Plugins Setup

With your license key in place, you can continue on to the individual plugin guides. Please refer to the specific documentation for the plugin you wish to install: