Menu
I'm trying to setup CodeDeploy with my GitHub and I've found some issue.
I've created service role as mentioned in documentation with AWSCodeDeployRole policy.
During my Code Deploy Application creation process I've got an issue:
Cannot assume role provided.
As I can see, my role with AWSCodeDeployRole have a lot of autoscaling permissions, but it's not expected for me:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:CompleteLifecycleAction",
"autoscaling:DeleteLifecycleHook",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:PutLifecycleHook",
"autoscaling:RecordLifecycleActionHeartbeat",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:EnableMetricsCollection",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScheduledActions",
"autoscaling:DescribeNotificationConfigurations",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:AttachLoadBalancers",
"autoscaling:PutScalingPolicy",
"autoscaling:PutScheduledUpdateGroupAction",
"autoscaling:PutNotificationConfiguration",
"autoscaling:PutLifecycleHook",
"autoscaling:DescribeScalingActivities",
"autoscaling:DeleteAutoScalingGroup",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:TerminateInstances",
"tag:GetTags",
"tag:GetResources",
"sns:Publish",
"cloudwatch:DescribeAlarms",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
],
"Resource": "*"
}
]
}
During some googling, I've found that CodeDeploy application may expect something similar to:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
But when I'm trying to create this policy manually it also fails with error:
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies.
So, what is the expected service role for Code Deploy Application?
Btw, Code deploy is running on my EC2 instance.
650
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/ . In the navigation pane, choose Roles, and then choose Create role. On the Create role page, choose AWS service, and from the Choose the service that will use this role list, choose CodeDeploy.
The difference between the two is that service roles can be assumed by an AWS entity that the role's trust policy scopes to, whereas the service-linked role is associated with a specific service.
Verify the CodeDeploy agent for Ubuntu Server is running Install it as described in Install the CodeDeploy agent for Ubuntu Server. If the CodeDeploy agent is installed and running, you should see a message like The AWS CodeDeploy agent is running .
Well, according to @Michael comment, I've found some differences in my Trust relationships policy for Service role.
It looks like default AWSCodeDeployRole can't handle it properly for Code Deploy.
To fix this issue I've replaced "Service": [
"ec2.amazonaws.com"] with "Service": [
"codedeploy.amazonaws.com"]
And it works!
109
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
