How do I run the CodeDeploy agent with a user profile that's not the root profile?

5 minute read
0

I want to run the AWS CodeDeploy agent with a user profile that isn't the root profile.

Resolution

Amazon Linux 2 and Amazon Linux 2023 replaced the Amazon Linux 1 Amazon Machine Image (AMI). You can no longer launch Amazon Linux 1 AMIs as an Amazon Elastic Compute Cloud (Amazon EC2) instance. The following resolution is compatible with all supported RPM and Debian-based Linux distributions of the CodeDeploy agent.

Prerequisite: Either install the CodeDeploy agent on your EC2 instance, or verify that the CodeDeploy agent is running on the instance.

Change the user in your CodeDeploy agent configuration file and grant the user the required permissions

Complete the following steps:

  1. Use SSH to connect to your EC2 instance.

  2. To stop the CodeDeploy host agent that's installed on the instance, run the following command:

    sudo service codedeploy-agent stop
  3. To change the user in the CodeDeploy agent configuration file, run the following sed stream editor command:

    sudo sed -i 's/""/"ec2-user"/g' /etc/init.d/codedeploy-agent

    Note: Replace ec2-user with the username that you want the CodeDeploy host agent to run on. For more information about the sed command, see Introduction on the GNU website.

  4. To reload the systemd configuration, run the following commands:

    sudo sed -i 's/#User=codedeploy/User=ec2-user/g' /usr/lib/systemd/system/codedeploy-agent.service
    sudo systemctl daemon-reload
  5. To grant the new user permissions to the required directories, run the following commands:

    sudo chown ec2-user:ec2-user -R /opt/codedeploy-agent/
    sudo chown ec2-user:ec2-user -R /var/log/aws/

    Note: Replace ec2-user with the username that you want the CodeDeploy host agent to run on.

  6. To restart the CodeDeploy agent, run the following command:

    sudo service codedeploy-agent start
  7. To confirm that your configuration file is updated, run the following command:

    sudo service codedeploy-agent status

    Example output:

    The AWS CodeDeploy agent is running as PID ####
  8. To verify what processes are running and the user that's running the processes, run the following command:

    ps aux | grep codedeploy-agent

Create a launch configuration template and an AWS Auto Scaling group to automate the user change process

Complete the following steps:

  1. Open the Amazon EC2 console.

  2. In the navigation pane, choose Launch Configurations.

  3. Choose Create launch configuration.

  4. Select the Amazon Linux AMI.

  5. Choose Next: Configure details.

  6. For IAM role, choose a preconfigured AWS Identity and Access Management (IAM) role. The role must grant your instance permission to access Amazon Simple Storage Service (Amazon S3) resources.

  7. Choose Advanced Details.

  8. In the User data section of the agent configuration file, enter the commands to install the CodeDeploy agent. Then, update the file to use a specific user.
    For IMDSv1, use the following script:

    #!/bin/bash
    REGION=$(curl 169.254.169.254/latest/meta-data/placement/availability-zone/ | sed 's/[a-z]$//')
    yum -y update
    yum install ruby wget -y
    cd /home/ec2-user
    wget https://aws-codedeploy-$REGION.s3.amazonaws.com/latest/install
    chmod +x ./install
    ./install auto
    service codedeploy-agent stop
    #adduser username <--- this is only required if you use a username that does not already exist
    sed -i 's/""/"ec2-user"/g' /etc/init.d/codedeploy-agent
    sed -i 's/#User=codedeploy/User=ec2-user/g' /usr/lib/systemd/system/codedeploy-agent.service
    systemctl daemon-reload
    chown ec2-user:ec2-user -R /opt/codedeploy-agent/
    chown ec2-user:ec2-user -R /var/log/aws/
    service codedeploy-agent start

    For IMDSv2, use the following script:

    #!/bin/bash 
    TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
    REGION=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/availability-zone/ | sed 's/[a-z]$//')
    yum -y update
    yum install ruby wget -y
    cd /home/ec2-user
    wget https://aws-codedeploy-$REGION.s3.amazonaws.com/latest/install
    chmod +x ./install
    ./install auto
    service codedeploy-agent stop
    #adduser username <--- this is only required if you use a username that does not already exist
    sed -i 's/""/"ec2-user"/g' /etc/init.d/codedeploy-agent
    sed -i 's/#User=codedeploy/User=ec2-user/g' /usr/lib/systemd/system/codedeploy-agent.service
    systemctl daemon-reload
    chown ec2-user:ec2-user -R /opt/codedeploy-agent/
    chown ec2-user:ec2-user -R /var/log/aws/
    service codedeploy-agent start

    Note: Replace ec2-user with the username that you want the CodeDeploy host agent to run on. The preceding example code automatically runs when you launch a new instance that uses the defined launch configuration.

  9. Complete the remaining steps in the launch wizard. Then, choose Create launch configuration.

  10. Choose Create an AWS Auto Scaling group using this launch configuration.

  11. For Group name, enter a name for your Auto Scaling group.

  12. For Subnet, enter a subnet that allows your instance to access the internet.

  13. Choose Next: Configure scaling policies, and then choose a policy.

  14. Complete the rest of the steps in the launch wizard, and then choose Create AWS Auto Scaling group.

Verify that the CodeDeploy agent is installed and is running with the correct user on a new instance

First, confirm that your instance is running. Then, complete the following steps:

  1. Use SSH to connect to your instance.
  2. To verify that the CodeDeploy agent is running on the instance, run the following command:
    sudo service codedeploy-agent status
    If the command returns an error, then you didn't install the CodeDeploy agent. Install the CodeDeploy agent.
  3. To verify that the CodeDeploy agent is running with the correct username, run the following command:
    ps aux | grep codedeploy-agent
    Example output:
    The AWS CodeDeploy agent is running as PID ####
AWS OFFICIAL
AWS OFFICIALUpdated 11 days ago
3 Comments

I created a new linux user 'code_deployer' and followed this post implement AWS pipeline for my laravel project, Now I'm getting the below error in aws console

Script at specified location: pipeline_scripts/stop_server.sh run as user code_deployer failed with exit code 1 Logs LifecycleEvent - ApplicationStop Script - pipeline_scripts/stop_server.sh [stderr]Password: su: Authentication failure*

Tried after commenting all script in pipeline_scripts/stop_server.sh, still not working.

AWS code deploy agent is running on user 'code_deployer'

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied 2 years ago

Since long comments aren't allowed here, I made a new post in medium explaining how it worked for me. It may be helpful to someone else.

https://medium.com/@arungraj/aws-code-deploy-with-non-root-user-f7fb51501760

replied 2 years ago