Skip to main content
Ryvn makes deploying applications to customer cloud environments seamless and secure. Our provisioning system handles everything from initial setup to ongoing maintenance, letting you focus on building great software while we manage the infrastructure.
Ryvn supports AWS, Google Cloud, and Azure. The setup process varies by cloud provider.
Here’s an overview of how Ryvn works with your customer’s cloud infrastructure:

Cloud Provider Setup

The credential setup process differs by cloud provider:
1

Invite Code

You generate an invite code for your customer. The customer uses their email and the invite code to log in to the Ryvn control plane.
2

Grant Permissions

The customer enters their AWS Account ID and clicks Grant Permissions. This opens AWS CloudFormation to create an IAM role that allows Ryvn to manage resources in their account.
3

Infrastructure Provisioning

Once permissions are granted, Ryvn provisions the infrastructure using the IAM role. No long-lived credentials are stored.
4

Workload Identity

After provisioning, the Ryvn agent uses IAM Roles for Service Accounts (IRSA) for ongoing authentication.
For customers who prefer to manage infrastructure themselves, AWS supports a customer-controlled mode where the customer runs the provisioning process using their own credentials.

Infrastructure Provisioning

Once credentials are configured, Ryvn provisions the necessary infrastructure using Terraform:
  • VPC and network configuration
  • Subnets and security groups
  • Kubernetes cluster (EKS, GKE, or AKS)
  • Load balancers and ingress controllers
  • DNS and certificate management
Finally, Ryvn deploys your application and configures monitoring with metrics collection and logging.
You can disable logging collection at your customer’s request.

Security

Security is foundational to our provisioning system, with multiple layers of protection throughout the process:
  • Least Privilege Access: Provisioning credentials are scoped to the minimum permissions required to set up the Ryvn environment and deploy vendor resources.
  • Workload Identity: After provisioning, the Ryvn agent authenticates using cloud-native workload identity (IRSA for AWS, Workload Identity for GCP/Azure) rather than static credentials.
  • Environment Isolation: Each customer environment has dedicated VPCs, Kubernetes namespaces, network policies, and independent access controls.
  • Secure Communication: All communication between Ryvn and your customer’s cloud environment is secured using TLS encryption, with mutual TLS authentication for service-to-service communication.

Customer Deployment Controls

After provisioning, you can give customers control over when deployments happen. Enable requireApproval on the environment so customers can review and approve changes before they’re applied to their infrastructure. See Deployment Approvals.

Ongoing Maintenance

Ryvn handles all aspects of cluster maintenance and upgrades to ensure your infrastructure remains secure and performant.
We handle Kubernetes version upgrades twice per year using blue-green deployments for zero downtime. All upgrades are extensively tested and coordinated with cloud provider releases.