7

I'm approacching now to aws.

I'm trying to store parameter in the Parameter Store of my EC2 instance, and I would get them for put in an environment variable in the AfterInstall step of Codedeploy. The deploy works, but I can't get the parameter anyway.

I tried to follow this tutorial https://aws.amazon.com/it/blogs/mt/use-parameter-store-to-securely-access-secrets-and-config-data-in-aws-codedeploy/.

I created the policy "ParameterStorePolicy" as follow:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ssm:DescribeParameters"
        ],
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "ssm:GetParameters"
        ],
        "Resource": [
            "arn:aws:ssm:us-east-2:<myId>:parameter/MySecureSQLPassword"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "kms:Decrypt"
        ],
        "Resource": "arn:aws:kms:us-east-2:<myId>:alias/aws/ssm"
    }
]}

I attached the policy to the "CodeDeployServiceRole" that has also attached the "AWSCodeDeployRole".

Finally in my script "Afterinstall.sh" I wrote the following code:

cd /home/ubuntu/pypi
export PIPPO=$(aws ssm get-parameters --region us-east-2 --names 
MySecureSQLPassword --with-decryption --query Parameters[0].Value)
echo $PIPPO >testPippo.txt

The result is a void testPippo.txt file.

Can anyone say me what I wrong?

Thank you

Simone Biffi
  • 79
  • 2
  • 6
  • Did you store something in the parameter store? – Dunedan Sep 11 '17 at 12:28
  • Yes, I store the parameter "MySecureSQLPassword" with the value "abcd" and type "String" by hand from my EC2 management console. My doubt is that codedeploy does not have permission to get parameter but I can not find anything that can help me and I'm not so confident with the topic. – Simone Biffi Sep 11 '17 at 12:34
  • And I guess you replaced `` with your AWS account ID? – Dunedan Sep 11 '17 at 13:09
  • @Dunedan of course! Cannot be a problem of permission? When codedeploy fire the afterInstall event and executes the .ssh script who is that performs the action? Thank you – Simone Biffi Sep 11 '17 at 14:50
  • @SimoneBiffi If you don't specify the run as user inside the appspec file for CodeDeploy, it run as root by default. – binbinlu Sep 14 '17 at 18:35

2 Answers2

5

Check that the "ParameterStorePolicy" IAM policy is attached to the EC2 instance profile of the instance you are deploying to.

To confirm whether the instance has the correct permissions you can do either of the following:

  1. Run that CLI command directly on the instance and confirm the value is decrypted:

aws ssm get-parameters --region us-east-2 --names MySecureSQLPassword --with-decryption --query Parameters[0].Value

  1. Log into the AWS Console then go to https://policysim.aws.amazon.com/home/index.jsp?#roles find your EC2 instance role and simulate that role's access to that parameter.
JimmyL
  • 383
  • 3
  • 10
0

There is one thing you might be able to have a try, is to GetParameters from the instance directly without running CodeDeploy (maybe just running that Afterinstall script directly from the instance). If you are able to get, then it means something related to CodeDeploy running user, otherwise it should be problem with Parameters setting.

Thanks, Binbin

binbinlu
  • 416
  • 2
  • 5