Bitbucket integration with AWS CodeDeploy Roles Trust Relationship Error

Question

I am trying to deploy my sampleApplication code via AWS CodeDeploy for Bitbucket

I have used this tutorial, I have followed all the steps. Trust Relationship for role is like this

{
"Version": "2012-10-17",
"Statement": [
{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::accountId:root"
  },
  "Action": "sts:AssumeRole",
  "Condition": {
    "StringEquals": {
      "sts:ExternalId": "connectionId"
    }
  }
  }
 ]
}

and while I am creating a deployment group I got error of 'can't assume role' when I select above role as Service role ARN*.

{
"Version": "2012-10-17",
"Statement": [
{
  "Effect": "Allow",
  "Principal": {
    "Service": [
      "ec2.amazonaws.com",
      "codedeploy.amazonaws.com"
    ]
  },
  "Action": "sts:AssumeRole"
 }
]
}

But when I add above trust relationship I can crete deployment group but then aws integration on bitbucket doesn't work and throw error to add sufficient permission.

Answer 1

Neither of your posted roles have given permission to CodeCommit or S3.

As per the tutorial you linked, you must provide access to CodeCommit and S3. These are likely the permissions you are missing:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": ["s3:ListAllMyBuckets", "s3:PutObject"],
        "Resource": "arn:aws:s3:::*"
    }, {
        "Effect": "Allow",
        "Action": ["codedeploy:*"],
        "Resource": "*"
    }]
}