GitOps on AWS: Step-by-Step Guide to Automate Deployments

If your organization is considering implementing GitOps workflows on AWS, you’re aiming for a modern, fully automated, and auditable DevOps pipeline. GitOps leverages Git as the single source of truth, enabling rapid, reliable deployments and simplified rollback—all while keeping your infrastructure and application state declarative and version-controlled. In this step-by-step guide, we’ll walk through the entire process of implementing GitOps workflows on AWS, using concrete examples, tool integrations, and best practices verified by real-world case studies and expert recommendations.

Introduction to GitOps and Its Benefits

Implementing GitOps workflows on AWS revolutionizes how teams manage infrastructure and application deployments. Instead of relying on manual interventions or disparate automation scripts, GitOps centralizes all changes in a Git repository, ensuring that every modification is tracked, auditable, and automatically applied to your AWS cloud environments.

Key Insight:
"GitOps provides transparency, repeatability, and safer environments by making Git the single source of truth for infrastructure and application state."
— A Practical Guide to GitOps on AWS

Benefits of GitOps on AWS

Eliminates configuration drift: Ensures your deployed infrastructure matches what’s in Git, reducing inconsistencies.
Complete auditability: Every change is tracked in Git, supporting compliance and incident investigations.
Faster deployment cycles: Automated pipelines enable immediate deployments after code review and merge.
Error reduction: Removes manual steps, minimizing deployment mistakes.
Stronger collaboration: Teams review and approve all changes via pull requests, promoting code quality and shared understanding.

Prerequisites: AWS Account and Tools Setup

Before you can begin implementing GitOps workflows on AWS, you need to set up the essential foundation. Here’s what’s required:

Essential Accounts and Permissions

AWS Account: With permissions to create and manage EKS clusters, IAM users, ECR repositories, and related resources.
GitHub Account: For hosting your application code and GitOps repositories.

Required Tools

Tool	Purpose	Source Reference
Jenkins	Continuous Integration	[Medium Guide]
Amazon ECR	Docker image storage	[Medium Guide]
ArgoCD	Continuous Deployment (CD) via GitOps	[Medium Guide, GitHub]
Amazon EKS	Managed Kubernetes service	[Medium Guide, GitHub]
eksctl	CLI for EKS cluster management	[Medium Guide, GitHub]
kubectl	Kubernetes CLI tool	[Medium Guide, GitHub]

Optional but recommended:

SonarQube: For code quality and security scanning (GitHub Jenkins Orchestrator)
Trivy: Container vulnerability scanning
CloudWatch: AWS-native logging and monitoring

Installation Steps

Install kubectl and eksctl on your local machine.
Set up Jenkins (as a server or via container).
Create a GitHub repository for your application and another for your Kubernetes manifests (GitOps repo).

Choosing the Right GitOps Tools for AWS

Selecting the correct toolchain is crucial for a robust GitOps implementation. The real-world case studies referenced here demonstrate proven stacks:

Component	Recommended Tool	Notes
Version Control	GitHub	For both app and manifest repositories
CI/CD Orchestration	Jenkins	Popular, integrates well with AWS and GitHub
Image Registry	Amazon ECR	Secure, AWS-integrated Docker image storage
Kubernetes CD	ArgoCD	Declarative GitOps for Kubernetes
Kubernetes Service	Amazon EKS	Managed, scalable, secure Kubernetes
Monitoring	CloudWatch	Native logs and metrics

ArgoCD stands out as the GitOps engine in every referenced pipeline, providing automated application deployment and synchronization directly from Git to AWS EKS.

"ArgoCD detects the change and syncs the new version to Amazon EKS…providing true GitOps-driven deployment."
— A Practical Guide to GitOps on AWS

Configuring AWS Services for GitOps (EKS, CodePipeline, etc.)

Implementing GitOps workflows on AWS requires configuring several core AWS services.

Step 1: Create an EKS Cluster

Provision an EKS cluster using eksctl:

eksctl create cluster \
  --name blog-cluster \
  --region us-east-1 \
  --nodes 2 \
  --node-type t3.small \
  --managed

This command sets up:

EKS control plane
Node group
VPC networking
Essential IAM roles

Verify with:

kubectl get nodes

Step 2: Set Up Amazon ECR Repository

Create an ECR repository for your Docker images:

aws ecr create-repository \
  --repository-name percy-blog \
  --region us-east-1

Take note of the repository URI for Jenkins pipeline integration.

Step 3: IAM Permissions for Jenkins

Jenkins will need permissions to:

Push to ECR
Update GitOps manifests in GitHub

Create the IAM user and attach the AmazonEC2ContainerRegistryFullAccess policy:

aws iam create-user --user-name jenkins-user
aws iam attach-user-policy \
  --user-name jenkins-user \
  --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess

Generate and securely store AWS access keys for Jenkins.

Setting Up Infrastructure as Code Repositories

A GitOps pipeline relies on storing all infrastructure and deployment configurations in Git. Follow these practices:

Repository Structure

Application Repository: Holds source code, Dockerfile, and build scripts.
GitOps Repository: Dedicated for Kubernetes manifests (Deployment, Service, Ingress, etc.).

Example structure:

/app-repo
  /src
  Dockerfile
  Jenkinsfile

/gitops-repo
  /deployments
    deployment.yaml
    service.yaml
    ingress.yaml

"Jenkins updates the Kubernetes manifests stored in a dedicated GitOps repository…ArgoCD detects the change and syncs the new version to Amazon EKS."
— [Medium Guide]

Best Practices

Use branches and pull requests for all changes.
Enforce code reviews on manifest updates.
Tag releases for production deployments.

Automating Deployments with GitOps Principles

The heart of GitOps is automation. The typical sequence, as practiced in AWS-based pipelines, is:

Developer pushes code to GitHub (app repo).
Jenkins runs:
- Builds the application
- Builds Docker image
- Runs tests, SonarQube, and Trivy scans (if configured)
- Pushes image to ECR
- Updates image tag in Kubernetes manifest in GitOps repo
GitOps Repo Change: Jenkins pushes the manifest update (new image tag).
ArgoCD auto-detects the GitOps repo change and triggers deployment to EKS.

Example Jenkins Pipeline Stages (from Jenkinsfile):

pipeline {
  stages {
    stage('Build') {
      steps {
        sh 'mvn clean package'
      }
    }
    stage('Test') {
      steps {
        sh 'mvn test'
      }
    }
    stage('SonarQube Analysis') {
      steps {
        sh 'sonar-scanner'
      }
    }
    stage('Docker Build & Push') {
      steps {
        sh 'docker build -t $ECR_REPO_URI:$BUILD_TAG .'
        sh 'docker push $ECR_REPO_URI:$BUILD_TAG'
      }
    }
    stage('Update Manifests') {
      steps {
        sh './scripts/update-manifest.sh $BUILD_TAG'
        sh 'git commit -am "Update image tag to $BUILD_TAG" && git push'
      }
    }
  }
}

ArgoCD then monitors the GitOps repository, automatically reconciling the desired state in Git with the running state in EKS.

Monitoring and Rollback Strategies

Visibility and control are essential in any deployment pipeline.

Monitoring

CloudWatch: Captures logs and metrics from your EKS workloads.
Prometheus Integration: Argo Workflows (from Bitnami) supports native Prometheus metrics by enabling controller.metrics.enabled=true in the Helm chart.
ArgoCD Dashboard: Provides real-time deployment status and history.

Rollback

"All changes to infrastructure and applications are tracked in Git, providing a complete history of changes with the ability to rollback to any previous state."
— [HashiCorp Developer]

Rollback via Git: Simply revert the manifest change in Git and ArgoCD will sync the previous version.
ArgoCD UI: Allows manual rollback to previous versions as needed.

Security Best Practices in GitOps Workflows

Security in a GitOps pipeline on AWS should be multi-layered:

IAM Least Privilege: Jenkins and ArgoCD should have only the permissions they need (e.g., ECR push, EKS describe/deploy).
GitHub Branch Protections: Enforce code reviews and restrict force-pushes on GitOps repo.
Code Quality and Security Scanning: Integrate SonarQube for static analysis and Trivy for container vulnerability scanning in the CI pipeline ([GitHub Jenkins Orchestrator]).
Immutable Container Tags: Use immutable tags for Docker images to prevent unintended deployments.
Secrets Management: Store sensitive credentials in AWS Secrets Manager or Kubernetes Secrets, not in Git.

Troubleshooting Common Issues

Even with a robust GitOps pipeline, issues can arise. Here are some encountered and resolved in real-world AWS setups:

ArgoCD UI Access Problems (Windows/WSL2)

Problem:
kubectl port-forward fails to expose ArgoCD UI to Windows browser due to WSL2 network isolation.

Solution:
Set up a two-layer port bridge using socat and portproxy:

Port-forward ArgoCD server inside WSL:

kubectl port-forward svc/argocd-server -n argocd 8181:443

Use socat and Windows netsh to bridge ports from WSL to Windows host ([see Medium Guide for full steps]).

IAM Permission Errors

Ensure Jenkins IAM user has AmazonEC2ContainerRegistryFullAccess and GitHub push rights.
Validate that ArgoCD has access to EKS API.

Manifest Sync Failures

Confirm ArgoCD is watching the correct GitOps repo and branch.
Check for syntax errors in Kubernetes manifests.

Conclusion and Next Steps

Implementing GitOps workflows on AWS requires careful setup but yields significant benefits: automation, reliability, auditability, and speed. By following the best practices and toolchain integrations outlined in this guide—grounded in proven, real-world pipelines—you can streamline your DevOps processes and enable safer, faster deployments on AWS.

Next Steps:

Expand your pipeline to include more environments (staging, QA).
Integrate additional quality gates (e.g., security scanning, policy checks).
Monitor and optimize cost and resource usage with AWS-native tools.

FAQ: Implementing GitOps Workflows on AWS

Q1: What are the essential AWS services needed for a GitOps workflow?
A: The core services are Amazon EKS (Kubernetes), Amazon ECR (image registry), IAM (permissions), and optionally CloudWatch (monitoring). Jenkins and ArgoCD are also commonly used for CI/CD orchestration.

Q2: Which GitOps tool is recommended for AWS Kubernetes deployments?
A: ArgoCD is widely recommended and used for declarative, GitOps-driven deployments to Amazon EKS, as evidenced in multiple real-world pipelines.

Q3: How do I securely store Docker images in AWS?
A: Use Amazon ECR, which integrates with IAM for secure, private storage and access control for container images.

Q4: How does rollback work in a GitOps workflow?
A: Rollbacks are done by reverting the relevant commit in the GitOps repository; ArgoCD will detect the change and sync the previous state to EKS.

Q5: What are the key security best practices?
A: Use IAM least privilege, enforce GitHub branch protections, integrate static and container security scanning, and never store secrets in Git repositories.

Q6: What if I have trouble accessing ArgoCD UI from Windows?
A: On WSL2, you’ll need to set up a two-step port bridge using socat and Windows portproxy to expose the ArgoCD UI to your browser.

Bottom Line

Adopting GitOps workflows on AWS—anchored by Git, Jenkins, ArgoCD, and EKS—delivers a robust, automated deployment pipeline that scales with your needs. By relying on GitOps principles and AWS-native services, you gain transparency, compliance, and operational efficiency. As demonstrated in production use cases, the combination of these tools and best practices enables teams to accelerate release cycles, reduce errors, and confidently manage cloud-native infrastructure in 2026 and beyond.