Why is AWS CodeDeploy giving me an AccessDeniedException from an account with administrator privileges?

Question

I'm trying to create a deployment group in AWS from the CLI and I'm getting the following error:

An error occurred (AccessDeniedException) when calling the CreateDeploymentGroup
operation: User: <redacted> is not authorized to perform: iam:PassRole on 
resource: arn:aws:codedeploy:us-east-1:<redacted>:<redacted>

The user account I'm doing this from has the AdministratorAccess permission, so I'm stumped as to why the account isn't authorized to do this. How can I fix this?

score 3 · Answer 1 · answered Oct 26 '17 at 22:24

3

You need to setup "Trust relationships" so that CodeDeploy has the privelege to assume the role.

In this link start with step 8 and review your configuration.

CodeDeploy Trust relationships

answered Oct 26 '17 at 22:24

John Hanley

4,754
1
11
21

score 0 · Accepted Answer · answered Oct 28 '17 at 17:07

0

I finally figured out what was going wrong: I wasn't properly specifying a service role. See here for how to do this. Once you create a service role with the needed permissions, you then need to get that role's ARN in order to reference it.

answered Oct 28 '17 at 17:07

jeltz

11
1
3

Why is AWS CodeDeploy giving me an AccessDeniedException from an account with administrator privileges?

2 Answers2