qarthandso
qarthandso

Reputation: 2188

Simple IAM Issue with CodeDeploy

I'm having an issue with a seemingly trivial task of getting CodeDeploy to deploy Github code to an AutoScaling Group in a Blue/Green Deployment.

I have a Pipeline setup, a Deployment Group setup, and the AutoScaling Group, but it fails when it gets to the actual deployment:

enter image description here


I went to my role and it seems like it has sufficient policies for it to go through with the blue/green deployment:

enter image description here


Is there a policy that I'm not considering that needs to be attached to this role?

Upvotes: 11

Views: 9268

Answers (4)

Dheeraj Kumar
Dheeraj Kumar

Reputation: 1

Create and inline policy with these role and service

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "iam:PassRole",
            "ec2:RunInstances",
            "ec2:CreateTags"
        ],
        "Resource": "*"
    }
]}

and attach it to the role that are attached with deployment group in the blue/green deployment.

Upvotes: 0

pooriyapfn
pooriyapfn

Reputation: 1

After conducting some research, I found that the following IAM policy has worked for me:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sts:GetCallerIdentity",
                "ecr:GetAuthorizationToken",
                "ecr:BatchGetImage",
                "sqs:ListQueues",
                "ec2:DescribeSpotPriceHistory"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },

Upvotes: 0

PeskyGnat
PeskyGnat

Reputation: 2464

I was also getting the error:

"The IAM role does not give you permission to perform operations in the following AWS service: AmazonAutoScaling. Contact your AWS administrator if you need help. If you are an AWS administrator, you can grant permissions to your users or groups by creating IAM policies."

I figured out the 2 permissions needed to get past this error, I created the policy below and attached it to the Code Deploy role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole",
                "ec2:RunInstances",
                "ec2:CreateTags"
            ],
            "Resource": "*"
        }
    ]
}

Upvotes: 16

Claudio Castro
Claudio Castro

Reputation: 539

I found the answer in this link: https://h2ik.co/2019/02/28/aws-codedeploy-blue-green/

Without wanting to take the credit, only one statement was missing from @PeskyGnat :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole",
                "ec2:CreateTags",
                "ec2:RunInstances"
            ],
            "Resource": "*"
        }
    ]
}

Upvotes: 29

Related Questions