What IAM permissions are required for a CodeDeploy Deployment Group?
I'm trying to configure Blue/Green deployment for EC2 but I don't know what IAM permissions are required. When creating a deployment group you have to assign a "Service Role"; the CodeDeploy console just says:
Enter a service role with CodeDeploy permissions that grants AWS CodeDeploy access to your target instances.
Not very helpful. I was able to get it working by providing ALL access to "EC2" but that seems much too broad:
"deployer": {
"Type": "AWS::IAM::Role",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AWSCodeDeployDeployerAccess",
"arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole",
"arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforAWSCodeDeploy"
],
"Policies": [
{
"PolicyName": "AllowBlueGreen",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{ "Effect": "Allow",
"Resource": "*",
"Action": [ "ec2:*", "iam:PassRole" ]
}
]
}
}
],
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow", "Principal": {"Service": "codedeploy.amazonaws.com"}, "Action": "sts:AssumeRole"}
]
}
}
}
When the deploy fails, the only clue I get is a vague error message from CodeDeploy:
The IAM role arn:aws:iam::111111111111:role/deployer-ABCDEFGHIJK does not give you permission to perform operations in the following AWS service: AmazonAutoScaling.
and this snipped in CloudTrail:
....
"eventSource": "ec2.amazonaws.com",
"eventName": "RunInstances",
"awsRegion": "us-east-1",
"sourceIPAddress": "codedeploy.amazonaws.com",
"userAgent": "codedeploy.amazonaws.com",
"errorCode": "Client.UnauthorizedOperation",
"errorMessage": "You are not authorized to perform this operation. Encoded authorization failure message: AAAABBBBCCC. ..."
....
I found a similar question in re:Post and tried that solution but I get the same error message. Of course that question was from 5 years ago so maybe something has changed since then.
Is there a resource somewhere that lists the EXACT permissions that CodeDeploy requires for a Blue/Green EC2 deployment group service role?
- Newest
- Most votes
- Most comments
Please also set the following custom policy.
https://h2ik.co/2019/02/28/aws-codedeploy-blue-green/
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"ec2:CreateTags",
"ec2:RunInstances"
],
"Resource": "*"
}
]
}
Hello.
Try setting the IAM managed policy below.
This IAM policy is a CodeDeploy IAM policy that includes policies related to creation such as AutoScaling.
By the way, "iam:PassRole" is not included in the policy below, so when setting an IAM policy, please include it as a custom policy.
https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCodeDeployRole.html
Ah, that's a good suggestion. However, my role already includes several Managed Policies, including that one. I've updated my question with the full IAM Role from CloudFormation.
I think if you send a message using feedback from the AWS documentation, there is a possibility that they will respond.
Relevant content
- asked 2 years ago
AWS OFFICIALUpdated 6 months ago- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
I can't believe that worked! I was just missing the "ec2:CreateTags" permissions. Why couldn't the error message say something helpful instead of complaining about "AmazonAutoScaling"?!?