AWS CodeDeploy: Service role Cannot assume role provided

Question

I'm trying to setup CodeDeploy with my GitHub and I've found some issue.

I've created service role as mentioned in documentation with AWSCodeDeployRole policy.

During my Code Deploy Application creation process I've got an issue:

Cannot assume role provided.

As I can see, my role with AWSCodeDeployRole have a lot of autoscaling permissions, but it's not expected for me:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:CompleteLifecycleAction",
        "autoscaling:DeleteLifecycleHook",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribeLifecycleHooks",
        "autoscaling:PutLifecycleHook",
        "autoscaling:RecordLifecycleActionHeartbeat",
        "autoscaling:CreateAutoScalingGroup",
        "autoscaling:UpdateAutoScalingGroup",
        "autoscaling:EnableMetricsCollection",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribePolicies",
        "autoscaling:DescribeScheduledActions",
        "autoscaling:DescribeNotificationConfigurations",
        "autoscaling:DescribeLifecycleHooks",
        "autoscaling:SuspendProcesses",
        "autoscaling:ResumeProcesses",
        "autoscaling:AttachLoadBalancers",
        "autoscaling:PutScalingPolicy",
        "autoscaling:PutScheduledUpdateGroupAction",
        "autoscaling:PutNotificationConfiguration",
        "autoscaling:PutLifecycleHook",
        "autoscaling:DescribeScalingActivities",
        "autoscaling:DeleteAutoScalingGroup",
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus",
        "ec2:TerminateInstances",
        "tag:GetTags",
        "tag:GetResources",
        "sns:Publish",
        "cloudwatch:DescribeAlarms",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeInstanceHealth",
        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
      ],
      "Resource": "*"
    }
  ]
}

During some googling, I've found that CodeDeploy application may expect something similar to:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "codedeploy.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

But when I'm trying to create this policy manually it also fails with error:

This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies.

So, what is the expected service role for Code Deploy Application?

Btw, Code deploy is running on my EC2 instance.

I believe you're confusing the permissions policy with the [trust relationships policy](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html). They're both policies, with similar syntax, but their purposes are different: the former specifies what actions the role allows or denies (e.g. the autoscaling actions) and the latter specifies which entities (principals) can assume the role (e.g. the `codedeploy.amazonaws.com` service principal). — Michael - sqlbot, Jun 17 '17 at 16:57
Well, Trust relationships for my `Service role` looks like: `{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }` — smart, Jun 17 '17 at 17:02
Do you see the similarity between this and the policy you found during your googling? `codedeploy` vs. `ec2`? — Michael - sqlbot, Jun 17 '17 at 17:08
@Michael-sqlbot you may post your suggestion and I'll approve it. Previously removing my answer. — smart, Jun 17 '17 at 17:12

score 16 · Accepted Answer · answered Jun 17 '17 at 17:08

16

Well, according to @Michael comment, I've found some differences in my Trust relationships policy for Service role.

It looks like default AWSCodeDeployRole can't handle it properly for Code Deploy.

To fix this issue I've replaced "Service": [ "ec2.amazonaws.com"] with "Service": [ "codedeploy.amazonaws.com"]

And it works!

answered Jun 17 '17 at 17:08

smart

1,975
5
26
46

1

Nice find mate should be a default! – user25794 Dec 23 '17 at 04:42

score 2 · Answer 2 · answered Jun 08 '21 at 17:57

2

For those that find this via Google - in my Cloud Formation templates, I formatted the ARN wrong, and the error wasn't descriptive:

Roles need to be specified this way: arn:aws:iam::1234567890:role/CodeDeployRole NOTE :role/ and not :instance-profile/

The error is exactly as above that it can't assume the role, though it's because you specified it wrong.

answered Jun 08 '21 at 17:57

B Fish

323
2
7

I recommend to you to not share private data like instance IDs or account IDs – KBeDev Jul 23 '21 at 15:30
It's not real - 1234567890 – B Fish Jul 23 '21 at 20:13

score 0 · Answer 3 · answered Jun 10 '21 at 12:46

I was following the tutorial but it didn't mention you have to edit the Trust Relationship for the service role. I got the same error as mentioned until I changed the below.

I changed

        "Service": "codebuild.amazonaws.com"

To

"Service" : [
      "codedeploy.amazonaws.com",
      "codebuild.amazonaws.com"
    ]

AWS CodeDeploy: Service role Cannot assume role provided

3 Answers3