Make deployments work ( with codeploy )

Hello,

I see there is an "AccessDeniedException" error in there. That can be for a few different reasons. I would recommend checking the following:

1. Ensure the EC2 you are trying to deploy to has an IAM Role attached with a Policy that allows access to/from Codedeploy.
2. Ensure the instance you are trying to connect to is in the same region/account as CodeDeploy. If not, add necessary IAM permissions to the Role attached to the EC2.
3. Ensure the Security Group(s) associate with your EC2 instance allows the needed traffic from CodeDeploy. you can also use VPC Flowlogs to see the traffic flow and see if it is beeing blocked somewhere.
4. If you are using subnet NACLs, ensure they are allowing the appropriate ports/traffic from CodeDeploy as well.

Let me know if this helps!

This looks like an issue with the IAM instance profile attached to the Ec2 instance (if there is any IAM role attached). Attach an IAM role to the ec2 instance if not already done, and give it required permissions.

Hi guys..

it is without issue. I tried everything but still got the error message.

There is an IAM role attached to the EC2 instance and the IAM Policy Simulator show that any https request from this role to CodeDeploy or CodeDeploy secure host command are allowed

its the same with the user goup assoiated with the aws credentials. The IAM Policy Simulator show that this user is allowed to access CodeDeploy or CodeDeploy secure host command Ec2 instance and S3 are in the same region/account eu--west-3

here are the permissions granted

EC2 instance Role:

• AutoScalingFullAccess
• AmazonEC2RoleforAWSCodeDeploy
• AmazonS3FullAccess
• AWSCodeDeployFullAccess
• CodeDeploy Commands Secure

User Group

• AutoScalingFullAccess
• AmazonS3FullAccess
• AWSCodeDeployFullAccess
• CodeDeploy Commands Secure

CodeDeploy Service role

• AutoScalingFullAccess
• AmazonS3FullAccess
• AWSCodeDeployFullAccess
• AWSCodeDeployRole

S3 security strategy

Public access: disbled

{
    "Statement": [
        {
            "Action": [
                "s3:Get*",
                "s3:List*",
				"s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::storagename/*",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::XXXXXXXXXX:role/ec2_role_name"
                ]
            }
        }
    ]
}

ERROR MSG

starting SSL for codedeploy-commands-secure.eu-west-3.amazonaws.com:443...
SSL established, protocol: TLSv1.2, cipher: XXXXX-RSA-XXXX-GCM-SHA256
<- "POST / HTTP/1.1\r\nContent-Type: application/x-amz-json-1.1\r\nAccept-Encodii
ng: \r\nUser-Agent: aws-sdk-ruby3/3.109.0 ruby/3.0.2 x86_64-linux-gnu aws-sdk-coo
dedeploycommand/1.0.0\r\nX-Amz-Target: CodeDeployCommandService.PollHostCommand\\
r\nX-Amz-Codedeploy-Agent-Version: OFFICIAL_1.3.2-1902_deb\r\nHost: codedeploy-cc
ommands-secure.eu-west-3.amazonaws.com\r\nX-Amz-Date: 20221222T161902Z\r\nX-Amz--
Content-Sha256: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
\r\nAuthorization: AWS4-HMAC-SHA256 Credential=XXXXXXXXXXXXXXXXXXX/20221222/eu--
west-3/codedeploy-commands-secure/aws4_request, SignedHeaders=content-type;host;;
x-amz-codedeploy-agent-version;x-amz-content-sha256;x-amz-date;x-amz-target, Sigg
nature=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\r\nContee
nt-Length: 84\r\nAccept: */*\r\n\r\n"
-> "HTTP/1.1 400 Bad Request\r\n"
-> "x-amzn-RequestId: xxxxxx-xxxxxx-xxxxx-xxxxx-xxxxxxxxxxxxxxxxxxxxx\r\n"
-> "Date: Thu, 22 Dec 2022 16:19:02 GMT\r\n"
-> "Content-Type: application/x-amz-json-1.1\r\n"
-> "Content-Length: 34\r\n"
-> "\r\n"
reading 34 bytes...
-> ""
-> "{\"__type\":\"AccessDeniedException\"}"
read 34 bytes
Conn keep-alive