AWS System Managers + CodeDeploy + Lightsail

Question

I want to use AWS System Managers Store Parameters with my CodeDeploy pipeline, dropping my last commit on Lightsail.

✅ 1. I created a SSM Parameters : MySecureString.

The parameters is set on SecureString with KMS encryption set on Actual account with alias/aws/ssm as ID.

My SecureString is set as : postgres://user:[email protected]:5432/myDatabase

✅ 2. I created an IAM Policies used by CodeDeploy instance

Went to IAM and created a JSON policies attached to MySpecificCodeDeployUser :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "ssm:GetParameter"
            ],
            "Resource": [
                "arn:aws:kms:*:<accountID>:key/alias/aws/ssm",
                "arn:aws:ssm:us-east-1:<accountID>:parameter/MySecureString"
            ]
        }
    ]
}

✅ 3. Testing that MySpecificFCodeDeployUser access SSM MySecureString :

Typped aws configure to logged as MySpecificFCodeDeployUser and try to run this command on my local computer :

aws --region=us-east-1 ssm get-parameter --name MySecureString --with-decryption --query Parameter.Value
RETURN ==> "postgres://user:[email protected]:5432/myDatabase"

🆗 Note that removing the IAM policies give me an Unauthorized request, so the IAM policy is correct.

🔥 4. Adding MySecureString to script executed by CodeDeploy :

Editing my AfterInstall script of my appspec.yml to add :

aws --region=us-east-1 ssm get-parameter --name MySecureString --with-decryption --query Parameter.Value >> .env

Gave me an a FAILED Build with stderr :

[stderr] An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::<id>:assumed-role/AmazonLightsailInstanceRole/<id> is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:<id>:parameter/MySecureString

I saw that Lightsail instance inherit from service-linked roles AWSServiceRoleForLightsail from https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-service-linked-roles.

Is there a way to add a new policy to my lightsail instance regarding the fact that it didn't seems to be CodeDeploy user needing it ?

Answer 1

Is there a way to add a new policy to my lightsail instance regarding the fact that it didn't seems to be CodeDeploy user needing it ?

Sadly, you can't do this. To enable your applications on the lightsail instance to interact with AWS services, you have to do it yourself, by setting up .aws credentials and having your app using that (done automatically if you use AWS SDK).

Lightsail instances don't support user-based instance roles. For that you need regular EC2 instance as explained in:

• Identity and Access Management for Amazon Lightsail