7

I'm trying to setup CodeDeploy with my GitHub and I've found some issue.

I've created service role as mentioned in documentation with AWSCodeDeployRole policy.

During my Code Deploy Application creation process I've got an issue:

Cannot assume role provided.

As I can see, my role with AWSCodeDeployRole have a lot of autoscaling permissions, but it's not expected for me:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:CompleteLifecycleAction",
        "autoscaling:DeleteLifecycleHook",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribeLifecycleHooks",
        "autoscaling:PutLifecycleHook",
        "autoscaling:RecordLifecycleActionHeartbeat",
        "autoscaling:CreateAutoScalingGroup",
        "autoscaling:UpdateAutoScalingGroup",
        "autoscaling:EnableMetricsCollection",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribePolicies",
        "autoscaling:DescribeScheduledActions",
        "autoscaling:DescribeNotificationConfigurations",
        "autoscaling:DescribeLifecycleHooks",
        "autoscaling:SuspendProcesses",
        "autoscaling:ResumeProcesses",
        "autoscaling:AttachLoadBalancers",
        "autoscaling:PutScalingPolicy",
        "autoscaling:PutScheduledUpdateGroupAction",
        "autoscaling:PutNotificationConfiguration",
        "autoscaling:PutLifecycleHook",
        "autoscaling:DescribeScalingActivities",
        "autoscaling:DeleteAutoScalingGroup",
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus",
        "ec2:TerminateInstances",
        "tag:GetTags",
        "tag:GetResources",
        "sns:Publish",
        "cloudwatch:DescribeAlarms",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeInstanceHealth",
        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
      ],
      "Resource": "*"
    }
  ]
}

During some googling, I've found that CodeDeploy application may expect something similar to:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "codedeploy.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

But when I'm trying to create this policy manually it also fails with error:

This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies.

So, what is the expected service role for Code Deploy Application?

Btw, Code deploy is running on my EC2 instance.

smart
  • 1,975
  • 5
  • 26
  • 46
  • 1
    I believe you're confusing the permissions policy with the [trust relationships policy](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html). They're both policies, with similar syntax, but their purposes are different: the former specifies what actions the role allows or denies (e.g. the autoscaling actions) and the latter specifies which entities (principals) can assume the role (e.g. the `codedeploy.amazonaws.com` service principal). – Michael - sqlbot Jun 17 '17 at 16:57
  • Well, Trust relationships for my `Service role` looks like: `{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }` – smart Jun 17 '17 at 17:02
  • 1
    Do you see the similarity between this and the policy you found during your googling? `codedeploy` vs. `ec2`? – Michael - sqlbot Jun 17 '17 at 17:08
  • @Michael-sqlbot you may post your suggestion and I'll approve it. Previously removing my answer. – smart Jun 17 '17 at 17:12
  • Thanks. I'll do that. – Michael - sqlbot Jun 17 '17 at 17:18

3 Answers3

16

Well, according to @Michael comment, I've found some differences in my Trust relationships policy for Service role.

It looks like default AWSCodeDeployRole can't handle it properly for Code Deploy.

To fix this issue I've replaced "Service": [ "ec2.amazonaws.com"] with "Service": [ "codedeploy.amazonaws.com"]

And it works!

smart
  • 1,975
  • 5
  • 26
  • 46
2

For those that find this via Google - in my Cloud Formation templates, I formatted the ARN wrong, and the error wasn't descriptive:

Roles need to be specified this way: arn:aws:iam::1234567890:role/CodeDeployRole NOTE :role/ and not :instance-profile/

The error is exactly as above that it can't assume the role, though it's because you specified it wrong.

B Fish
  • 323
  • 2
  • 7
0

I was following the tutorial but it didn't mention you have to edit the Trust Relationship for the service role. I got the same error as mentioned until I changed the below.

I changed

        "Service": "codebuild.amazonaws.com"

To

"Service" : [
      "codedeploy.amazonaws.com",
      "codebuild.amazonaws.com"
    ]
   
Morgan
  • 55
  • 9