How to create auto scaling group using CodePipeline

0

I have a feeling this is the best place to ask this question ...

I have a CodePipeline which acts when a template file in CodeCommit is changed. I've added the configuration for an auto scaling group (ASG) to the template.

The CodePipeline triggers and tries to create the ASG - but the step fails with the message
'API: autoscaling:CreateAutoScalingGroup You are not authorized to use launch template: lt-04f15......'.

Does anyone know which policy I need to add to which Role to get this to work?

Thanks,
Kevin

asked 4 years ago143 views
1 Answer
0

The problem I had occurred when using a CodePipeline to respond to changes in the stack template which is stored in CodeCommit. A couple of stages were CloudFormation stages and the role I'd created for these stages did not have enough permissions. Here's the workflow and fix in more detail:

  • We have a CodePipeline which looks for changes to the test/prod environment template which is stored in CodeCommit.
  • When changes are made the CodePipeline is triggered and the changes are propagated. The CodePipeline runs with the service role:
    AWSCodePipelineServiceRole-Xxxx2019WebAppEnvDeployToProd.
  • However - there are two stages in the pipeline which create stack change sets - these are CloudFormation stages - and they run with their own role - CustomCloudFormationPowerUser. This role was created manually and includes the PowerUserAccess policy.
  • However, the PowerUserAccess policy does not allow for the creation of auto scaling groups which use Launch Templates.
  • To enable the role to be able to use ASG's and LT's a copy of the AutoScalingServiceRolePolicy policy was made and named CustomAutoScalingServiceRolePolicy - and this copy policy was added to the CustomCloudFormationPowerUser role. (The AutoScalingServiceRolePolicy can not be used directly as it is a service policy).
  • This means that when the the pipeline runs and it runs the CloudFormation section it will be able to create the stack and create/update ASG's.
  • As a side note the stack will have this role assigned to it after creation/updates.
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions