Simple IAM Issue with CodeDeploy

Question

I'm having an issue with a seemingly trivial task of getting CodeDeploy to deploy Github code to an AutoScaling Group in a Blue/Green Deployment.

I have a Pipeline setup, a Deployment Group setup, and the AutoScaling Group, but it fails when it gets to the actual deployment:

I went to my role and it seems like it has sufficient policies for it to go through with the blue/green deployment:

Is there a policy that I'm not considering that needs to be attached to this role?

score 23 · Answer 1 · answered Mar 18 '19 at 12:54

23

I found the answer in this link: https://h2ik.co/2019/02/28/aws-codedeploy-blue-green/

Without wanting to take the credit, only one statement was missing from @PeskyGnat :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole",
                "ec2:CreateTags",
                "ec2:RunInstances"
            ],
            "Resource": "*"
        }
    ]
}

answered Mar 18 '19 at 12:54

Claudio Castro

479
5
9

Is it secure to use "Resource": "*" ? – Halil Jun 02 '22 at 21:39
No. BUT you are giving this to a trusted service in aws – Claudio Castro Jun 03 '22 at 23:10

PeskyGnat · Accepted Answer · 2021-02-05T14:57:50.093

15

I was also getting the error:

"The IAM role does not give you permission to perform operations in the following AWS service: AmazonAutoScaling. Contact your AWS administrator if you need help. If you are an AWS administrator, you can grant permissions to your users or groups by creating IAM policies."

I figured out the 2 permissions needed to get past this error, I created the policy below and attached it to the Code Deploy role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole",
                "ec2:RunInstances",
                "ec2:CreateTags"
            ],
            "Resource": "*"
        }
    ]
}

edited Feb 05 '21 at 14:57

answered Jan 21 '19 at 20:49

PeskyGnat

2,454
19
22

I copypasted the provided role and still have the same error. – Defozo Feb 26 '19 at 17:09
I have the same issue as @Defozo – Claudio Castro Mar 18 '19 at 11:47
2

Hey @Defozo you can find more details here. The problem happening because (I assume) you created your ASG using Launch Template instead of Launch Config: https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-service-role.html – Thiago Dec 21 '19 at 11:50
added CreateTags, I didn't need it when I first ran into this issue, perhaps the issue I had was slightly different, or that the new permission is now needed? – PeskyGnat Feb 05 '21 at 14:58

pooriyapfn · Answer 3 · 2023-04-18T00:03:23.443

After conducting some research, I found that the following IAM policy has worked for me:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sts:GetCallerIdentity",
                "ecr:GetAuthorizationToken",
                "ecr:BatchGetImage",
                "sqs:ListQueues",
                "ec2:DescribeSpotPriceHistory"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },

Simple IAM Issue with CodeDeploy

3 Answers3