5

I am using AWS CodeDeploy to deploy code to our AWS Amazon Linux instances. I followed this knowledge base article https://aws.amazon.com/premiumsupport/knowledge-center/codedeploy-agent-non-root-profile/ to have the agent execute in the ec2-user context instead of root

Before making the change, the script in the yml file executed as expected (but we need the script to execute in non root context) and setting the runas: part of the appspec.yml file did not seem to execute the script in the ec2-user context as expected

appspec.yml:

version: 0.0
os: linux
files:
  - source: /
    destination: /home/ec2-user/veddor/api
    owner: ec2-user
hooks:
    AfterInstall:
      - location: deploy/script/deploy-veddor-api.sh
        timeout: 300
        runas: ec2-user

Since making the change, this error now shows up rather than executing the script specified in the appspec file

LifecycleEvent - AfterInstall
Script - deploy/script/deploy-veddor-api.sh
[stderr]Password: su: Authentication failure

contents of the deploy-veddor-api.sh

cp /home/ec2-user/veddor/api/deploy/config/Config-roddev.php /home/ec2-user/veddor/api/app/config/Config.php
cd /home/ec2-user/veddor/api
chmod +x ./composer.phar
php ./composer.phar install

I am looking for help to figure out what I need to do to get the script deploy-veddor-api.sh to actually run in the ec2-user context.

Ryan Abrahamson
  • 53
  • 3

3 Answers3

5

You may be running the AWS CodeDeploy Agent as a non-root user. Only root will have the ability to have a runas user in your AfterInstall hook, as no other user account can run the substitute user "su" command without password authentication.

Check out the details for "runas" in AWS' appspec user guide:

https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file-structure-hooks.html

runas Optional. The user to impersonate when running the script. By default, this is the AWS CodeDeploy agent running on the instance. AWS CodeDeploy does not store passwords, so the user cannot be impersonated if the runas user needs a password. This element applies to Amazon Linux and Ubuntu Server instances only.

If you are already running the CodeDeploy Agent as ec2-user, then you do not need to supply the runas element in your AfterInstall hook.

KDjukic
  • 86
  • 2
  • That was it! I didn't think to remove the runas after changing the agent. Once I remove the runas statement in the appspec, it worked as expected. Thank you so much, – Ryan Abrahamson Jan 09 '18 at 03:49
0

If you are use SDK to trigger CodeDeploy, here is a param: ignoreApplicationStopFailures: true

see: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CodeDeploy.html#createDeployment-property

cuz
  • 1,172
  • 11
  • 12
0

if you have codedeploy already configured as non root, then remove the runas commands from appspec.yml. Save it and retry!

Swarnabha Das
  • 27
  • 3