I want to run the AWS CodeDeploy agent with a user profile that isn't the root profile.
Resolution
Amazon Linux 2 and Amazon Linux 2023 replaced the Amazon Linux 1 Amazon Machine Image (AMI). You can no longer launch Amazon Linux 1 AMIs as an Amazon Elastic Compute Cloud (Amazon EC2) instance. The following resolution is compatible with all supported RPM and Debian-based Linux distributions of the CodeDeploy agent.
Prerequisite: Either install the CodeDeploy agent on your EC2 instance, or verify that the CodeDeploy agent is running on the instance.
Change the user in your CodeDeploy agent configuration file and grant the user the required permissions
Complete the following steps:
-
Use SSH to connect to your EC2 instance.
-
To stop the CodeDeploy host agent that's installed on the instance, run the following command:
sudo service codedeploy-agent stop
-
To change the user in the CodeDeploy agent configuration file, run the following sed stream editor command:
sudo sed -i 's/""/"ec2-user"/g' /etc/init.d/codedeploy-agent
Note: Replace ec2-user with the username that you want the CodeDeploy host agent to run on. For more information about the sed command, see Introduction on the GNU website.
-
To reload the systemd configuration, run the following commands:
sudo sed -i 's/#User=codedeploy/User=ec2-user/g' /usr/lib/systemd/system/codedeploy-agent.service
sudo systemctl daemon-reload
-
To grant the new user permissions to the required directories, run the following commands:
sudo chown ec2-user:ec2-user -R /opt/codedeploy-agent/
sudo chown ec2-user:ec2-user -R /var/log/aws/
Note: Replace ec2-user with the username that you want the CodeDeploy host agent to run on.
-
To restart the CodeDeploy agent, run the following command:
sudo service codedeploy-agent start
-
To confirm that your configuration file is updated, run the following command:
sudo service codedeploy-agent status
Example output:
The AWS CodeDeploy agent is running as PID ####
-
To verify what processes are running and the user that's running the processes, run the following command:
ps aux | grep codedeploy-agent
Create a launch configuration template and an AWS Auto Scaling group to automate the user change process
Complete the following steps:
-
Open the Amazon EC2 console.
-
In the navigation pane, choose Launch Configurations.
-
Choose Create launch configuration.
-
Select the Amazon Linux AMI.
-
Choose Next: Configure details.
-
For IAM role, choose a preconfigured AWS Identity and Access Management (IAM) role. The role must grant your instance permission to access Amazon Simple Storage Service (Amazon S3) resources.
-
Choose Advanced Details.
-
In the User data section of the agent configuration file, enter the commands to install the CodeDeploy agent. Then, update the file to use a specific user.
For IMDSv1, use the following script:
#!/bin/bash
REGION=$(curl 169.254.169.254/latest/meta-data/placement/availability-zone/ | sed 's/[a-z]$//')
yum -y update
yum install ruby wget -y
cd /home/ec2-user
wget https://aws-codedeploy-$REGION.s3.amazonaws.com/latest/install
chmod +x ./install
./install auto
service codedeploy-agent stop
#adduser username <--- this is only required if you use a username that does not already exist
sed -i 's/""/"ec2-user"/g' /etc/init.d/codedeploy-agent
sed -i 's/#User=codedeploy/User=ec2-user/g' /usr/lib/systemd/system/codedeploy-agent.service
systemctl daemon-reload
chown ec2-user:ec2-user -R /opt/codedeploy-agent/
chown ec2-user:ec2-user -R /var/log/aws/
service codedeploy-agent start
For IMDSv2, use the following script:
#!/bin/bash
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
REGION=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/placement/availability-zone/ | sed 's/[a-z]$//')
yum -y update
yum install ruby wget -y
cd /home/ec2-user
wget https://aws-codedeploy-$REGION.s3.amazonaws.com/latest/install
chmod +x ./install
./install auto
service codedeploy-agent stop
#adduser username <--- this is only required if you use a username that does not already exist
sed -i 's/""/"ec2-user"/g' /etc/init.d/codedeploy-agent
sed -i 's/#User=codedeploy/User=ec2-user/g' /usr/lib/systemd/system/codedeploy-agent.service
systemctl daemon-reload
chown ec2-user:ec2-user -R /opt/codedeploy-agent/
chown ec2-user:ec2-user -R /var/log/aws/
service codedeploy-agent start
Note: Replace ec2-user with the username that you want the CodeDeploy host agent to run on. The preceding example code automatically runs when you launch a new instance that uses the defined launch configuration.
-
Complete the remaining steps in the launch wizard. Then, choose Create launch configuration.
-
Choose Create an AWS Auto Scaling group using this launch configuration.
-
For Group name, enter a name for your Auto Scaling group.
-
For Subnet, enter a subnet that allows your instance to access the internet.
-
Choose Next: Configure scaling policies, and then choose a policy.
-
Complete the rest of the steps in the launch wizard, and then choose Create AWS Auto Scaling group.
Verify that the CodeDeploy agent is installed and is running with the correct user on a new instance
First, confirm that your instance is running. Then, complete the following steps:
- Use SSH to connect to your instance.
- To verify that the CodeDeploy agent is running on the instance, run the following command:
sudo service codedeploy-agent status
If the command returns an error, then you didn't install the CodeDeploy agent. Install the CodeDeploy agent.
- To verify that the CodeDeploy agent is running with the correct username, run the following command:
ps aux | grep codedeploy-agent
Example output:
The AWS CodeDeploy agent is running as PID ####