Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Way to Remove/Deploy Files below/to Windows\System32 when using CodeDeploy

0

Hello,

Situation

  1. I use a 3rd-party software(LINQPad) with my program(service).
  2. It needs an appropriate driver (user-developed)assembly inside local application data folders.
  3. I am using AWS CodeDeploy to check whether my service gets deployed and works well.
  4. As I run my service as Local System, LINQPad searchs drivers on service local application data below Windows\System32.
  5. I need to update the service and the driver every time I newly build them using CI pipeline.
  6. So I wrote a line on my powershell script: [Remove-Item "C:\Windows\System32\config\systemprofile\appdata\local...." -force -recurse], to make sure that previous driver files are removed.
  7. This line does not make any error, but the folder is not removed.
  8. So I modify my appspec file by writing 'file_exists_behavior: OVERWRITE' to force copy.
  9. The codedeploy agent log tells me it succeeded to make subdiretories and copy files, but nothing changed for the folder.
  10. Unrestricted or Bypass Execution Policy did not work. No other powershell profile is set.

Main Question

  1. I think it is permission issue for codedeploy agent, am I right? If then, is there any way to give the agent permission for cleaning the target folder?
  2. Or, do I use CodeDeploy in bad manner?

Problem Environment

  1. AWS EC2 - Windows Server 2022 Datacenter with CodeDeploy Agent 1.6.0.49
  2. OnPremise - Windows Server 2025 Standard with CodeDeploy Agent 1.7.1.110

Comment

I know people are against dealing with system folders. Nevertheless, I write this question, as I cannot change the 3rd-party architecture on my own.

Please give me any comment for insufficient information. Also please give me a comment if I violated any community terms and conditions. I apologize in advance if I missed relevant questions.

Sincerely.

Topics
DevOpsComputeDeveloper Tools
Tags
AWS CodeDeployWindowsDevOps
Language
English
asked 9 months ago110 views
2 Answers
1
Accepted Answer

When working with CodeDeploy to manage files in sensitive Windows system directories like C:\Windows\System32, you're encountering permission issues because CodeDeploy agent typically runs with restricted permissions for security reasons.

Here are some insights and potential solutions:

  1. Permission Issues: The CodeDeploy agent doesn't have sufficient permissions to modify content in protected system directories like Windows\System32. This is by design to prevent unauthorized modifications to critical system files.

  2. Cleanup Process: During deployments, CodeDeploy uses a cleanup file located at C:\ProgramData\Amazon\CodeDeploy\deployment-instructions\deployment-group-ID-cleanup to remove previously installed files before starting a new deployment. However, this process still operates within the agent's permission boundaries.

  3. File Handling Options: While you've correctly identified the file_exists_behavior: OVERWRITE setting, this only works for locations where the agent has sufficient permissions.

Potential solutions:

  1. Use a Custom Script with Elevated Permissions: Instead of directly trying to modify system folders through CodeDeploy, create a deployment script that:
  • Registers as a scheduled task that runs with SYSTEM privileges
  • Performs the necessary file operations
  • Can be triggered by your deployment

  1. Alternative Deployment Location: Consider deploying to a non-system location first, then use a script running with appropriate permissions to copy files to the restricted location.

  2. Service Configuration: If possible, reconfigure your service to look for the driver in a different, more accessible location rather than modifying system directories.

  3. Pre-deployment Configuration: Set up the necessary permissions or folder structure before deployment, possibly during instance initialization.

Using CodeDeploy to directly manage files in system directories is generally not recommended due to these security constraints. A hybrid approach using CodeDeploy for application deployment and custom scripts with appropriate permissions for system modifications is often more effective.
Sources
Redeploy and roll back a deployment with CodeDeploy - AWS CodeDeploy
CodeDeploy automated logs cleanup. | AWS re:Post
AppSpec 'files' section (EC2/On-Premises deployments only) - AWS CodeDeploy

answered 9 months ago
0

In fact, I was able to easily bypass the problem using Windows Task Scheduler. Thank AWS for wonderful auto-generated answer.

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content