CODEWITHSUNDEEP
amazon-web-servicesamazon-s3amazon-ec2aws-code-deploy
Sasha
Sasha

Reputation: 8705

AWS Code Deploy - deployment failed

I am trying to setup code deployment using aws, but when I try to perform deployment, I am getting this error:

2016-06-08 23:57:11 ERROR [codedeploy-agent(1207)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Cannot reach InstanceService: Aws::CodeDeployCommand::Errors::AccessDeniedException -
2016-06-08 23:58:41 INFO  [codedeploy-agent(1207)]: Version file found in /opt/codedeploy-agent/.version.
2016-06-08 23:58:41 INFO  [codedeploy-agent(1207)]: [Aws::CodeDeployCommand::Client 400 0.055741 0 retries] poll_host_command(host_identifier:"IAM-user-ARN") Aws::CodeDeployCommand::Errors::AccessDeniedException

I have two IAM roles - one for EC2 instance, and one for deployment app. S3 bucket have permission set for iam role which is used for deployment:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "XXXXXXXX:role/TestRole"
            },
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "arn:aws:s3:::pmcdeploy/*"
        }
    ]
}

What is going on?

Upvotes: 0

Views: 5008

Answers (4)

Sudhir Dwivedi
Sudhir Dwivedi

Reputation: 41

I deleted /home/ubuntu/.aws and rebooted codedeploy agent service and it worked for me :-)

Upvotes: 1

binbinlu
binbinlu

Reputation: 426

This is actually something related to the order of credential loading. The host agent is running with root user by default and also uses instance profile.

The exception is got when you've setup a root credential which has priority over instance profile according to: http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#config-settings-and-precedence

Then the aws sdk used by host agent will use the credential configured for the root user instead of instance profile to configure the requests.

One of the workaround would be run the agent with a different user and don't configure any credential for that user.

Upvotes: 1

Florian Heigl
Florian Heigl

Reputation: 135

We had what I think the same issue. Our systems had a /root/.aws/credentials in place which CodeDeploy absolutely uses and I found no way of telling it to not do that. Especially no documentation...

In the end, we rewrote everything on our end to ensure we'll no longer need a credentials file in place. From that moment on, CodeDeploy used the instance profile and it was working fine.

Upvotes: 0

Amartya Datta Gupta
Amartya Datta Gupta

Reputation: 77

Is the error consistent? On looking at the agent code, it seems like the agent might having trouble talking to EC2. If this is a persistent problem, you can share the EC2 instance profile.

Also starting the agent with verbose option enabled gives a lot more information about what's going on.

Thanks

Upvotes: 1

Related Questions