0

i am using codedeploy to deploy my code to server. 3 days back it was working fine. but suddenly it fails to assume role although it was working fine previously.

error : {
"Code" : "AssumeRoleUnauthorizedAccess",
"Message" : "EC2 cannot assume the role Ec2Codedeploy"}

"LastUpdated" : "2017-07-10T06:49:59Z"

my trust relationship is :

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "codedeploy.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}

there is contradiction between documentation also.

  1. http://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-service-role.html

  2. http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_iam-ec2.html#troubleshoot_iam-ec2_errors-info-doc

no. 1 says service should be "codedeploy.amazonaws.com"

no.2 says service should be "ec2.amazonaws.com"

issue persists after reboot also.

kindly help me in this issue.

Paramjeet Singh
  • 97
  • 8
  • Where are you receiving `AssumeRoleUnauthorizedAccess` error message? If the role is being used by CodeDeploy, then your trust relationship is correct. However, the error message suggests that it is being used by EC2. Is the role incorrectly assigned to an EC2 instance, too? – John Rotenstein Jul 10 '17 at 14:49
  • i have attached this role to the instance where code is to be deployed and used the same role with codedeploy also. i guess this is the mistake isnt it??? – Paramjeet Singh Jul 11 '17 at 05:55
  • Yes. You need to give one role to CodeDeploy, which permits it to access certain AWS services. This is different to the role that you would give to your EC2 instances, which is done to give permissions to the *applications* running on the EC2 instances. – John Rotenstein Jul 11 '17 at 09:18

1 Answers1

0

It appears that you have a role designed for use by AWS CodeDeploy, but you have assigned it to an Amazon EC2 instance. This is indicated by the error message: EC2 cannot assume the role Ec2Codedeploy

From Create a Service Role for AWS CodeDeploy:

The service role you create for AWS CodeDeploy must be granted the permissions to access the instances to which you will deploy applications. These permissions enable AWS CodeDeploy to read the tags applied to the instances or the Auto Scaling group names associated with the instances.

The permissions you add to the service role specify the operations AWS CodeDeploy can perform when it accesses your Amazon EC2 instances and Auto Scaling groups. To add these permissions, attach an AWS-supplied policy, AWSCodeDeployRole, to the service role.

This is separate to the Role that you would assign to your Amazon EC2 instances, which generates credentials that can be used by applications on the instances.

These should be two separate roles with different assigned permissions.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470