CodeDeploy onpremise registration failing with AccessDeniedException on Amazon Lightsail

Question

aws deploy register-on-premises-instance --instance-name XXXXX --iam-user-arn arn:aws:iam::XXXXXXXXXXXX:user/LightSailCodeDeployUser --region ap-south-1

An error occurred (AccessDeniedException) when calling the RegisterOnPremisesInstance operation: User: arn:aws:sts::XXXXXXXXXXX:assumed-role/AmazonLightsailInstanceRole/i-XXXXXXXXXXXXXX is not authorized to perform: codedeploy:RegisterOnPremisesInstance on resource: arn:aws:codedeploy:ap-south-1:XXXXXXXXXX:instance:XXXXXXXXXXXX

I didn't even create the role AmazonLightsailInstanceRole, then how did it come in the picture. My user have all permissions on codedeploy though. I am following this link to set up. https://aws.amazon.com/blogs/compute/using-aws-codedeploy-and-aws-codepipeline-to-deploy-applications-to-amazon-lightsail/

Can you let me know what's the issue with the code. I have removed that " after --instance-name — vijayK, May 14 '20 at 06:35

Josh · Answer 1 · 2020-11-26T12:31:48.423

3

I made the same mistake and then realized that command is meant to be run on your local machine and not the instance!

edited Nov 26 '20 at 12:31

answered Aug 07 '20 at 13:35

Josh

2,122
1
21
28

the documentation I'm reading says the same. Thanks for pointing out! – SummaNerd Nov 26 '20 at 01:37

Marcin · Answer 2 · 2020-05-14T07:01:24.303

AmazonLightsailInstanceRole is a service-linked role automatically created by aws:

Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.

The error you are getting is not about you not having the codedeploy:RegisterOnPremisesInstance permission.

The error is about the AmazonLightsailInstanceRole not having it. It does not matter if you (i.e. your IAM user) has all CodeDeploy permissions.

Normally you would add the missing permissions to the role. How to work with the AmazonLightsailInstanceRole is described in the following AWS documentaiton:

However, I'm not sure if you can modify the AmazonLightsailInstanceRole and add the missing permissions. Some service-linked roles can be modified, some not.

Did you find if you can edit `AmazonLightsailInstanceRole` or add a specific IAM policy to Lightsail instance ? — GuillaumeRZ, Jul 26 '21 at 09:18

score 2 · Answer 3 · answered Dec 21 '20 at 18:18

2

The documentation is a bit confusing. Create a new user in IAM with admin role (full privileges) and use the credentials of that user to run the command in your local machine.

answered Dec 21 '20 at 18:18

Shania

244
2
9

1

This is the easiest method. Not sure about security though – kiranvj Oct 29 '22 at 15:57

CodeDeploy onpremise registration failing with AccessDeniedException on Amazon Lightsail

3 Answers3