Reputation: 611
Unable to create application in AWS because I not have "codedeploy:CreateApplication" action
I'm following Amazon documentation to Create an Amazon EC2 instance for CodeDeploy, but am getting an AccessDeniedException when I attempt to run aws deploy create-application ... with the no identity-based policy allows the codedeploy:CreateApplication action errror.
The process is complicated, and I'm having trouble getting my head around it all, but in step 3 we create a "Permission Set" in the "AWS IAM Identity Center" and set an "Inline policy" that contains:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CodeDeployAccessPolicy",
"Effect": "Allow",
"Action": [
.
.
.
"codedeploy:*",
.
.
.
],
"Resource": "*"
},
{
"Sid": "CodeDeployRolePolicy",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::account-ID:role/CodeDeployServiceRole"
}
]
}
And replace arn:aws:iam::account-ID:role/CodeDeployServiceRole with the value for a service role we created before, and this permission set is then bound to the CodeDeploy administrative user.
In step 4 we then Create an IAM instance profile in the "IAM console" (not to be confused with the "IAM Identity Center console" from the previous step) and specify the profile as:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Then we create an "EC2 Role" and assign it the Permission Set we just created, along with the additional policy "AmazonSSMManagedInstanceCore".
We then start a new instance and assign the IAM role just created to that instance, then SSH into it and install the CodeDeploy agent.
One thing the instructions say here is that when you sign in you should be presented with the banner:
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
However I see:
, #_
~\_ ####_ Amazon Linux 2023
~~ \_#####\
~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
But I assume that isn't important.
We then prepare the files for the deploy in another step 2, create and set permissions for an S3 bucket in another step 3, and finally run the failing command:
aws deploy create-application --application-name WordPress_App
Specifically it fails with the message:
An error occurred (AccessDeniedException) when calling the CreateApplication operation: User: arn:aws:sts::####:assumed-role/CodeDeployDemo-EC2-Instance-Profile/i-#### is not authorized to perform: codedeploy:CreateApplication on resource: arn:aws:codedeploy:ap-southeast-2:####:application:WordPress_App because no identity-based policy allows the codedeploy:CreateApplication action
It's probably worth noting that the codedeploy-agent is running:
systemctl status codedeploy-agent
returns: Active: active (running) since...
and that the command: aws s3 ls does indeed return the S3 bucket I made.
I have been working on this issue for 2 days now and just can't find what the problem is. Any help you can provide would be greatly appreciated.
Thank you.
Upvotes: 0
Views: 21
Answers (0)
Related Questions
- kubectl error You must be logged in to the server (Unauthorized) when accessing EKS cluster
- Not able to authenticate the AWS ECR repo on the EC2 instance
- InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Missing credentials
- What is exactly "Assume" a role in AWS?
- InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Missing credentials - please check if this instance was started with an IAM instance profile
- CodeDeploy onpremise registration failing with AccessDeniedException on Amazon Lightsail
- aws s3 command responds with 403 forbidden
- AWS code deploy + bitbucket = failed (Error code HEALTH_CONSTRAINTS)
- Unable to download AWS CodeDeploy Agent Install file
- Deploy github build from codeship to amazon EC2 through CodeDeploy