5

I want to use AWS System Managers Store Parameters with my CodeDeploy pipeline, dropping my last commit on Lightsail.

✅ 1. I created a SSM Parameters : MySecureString.

The parameters is set on SecureString with KMS encryption set on Actual account with alias/aws/ssm as ID.

My SecureString is set as : postgres://user:password@endpoint.rds.amazonaws.com:5432/myDatabase

✅ 2. I created an IAM Policies used by CodeDeploy instance

Went to IAM and created a JSON policies attached to MySpecificCodeDeployUser :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "ssm:GetParameter"
            ],
            "Resource": [
                "arn:aws:kms:*:<accountID>:key/alias/aws/ssm",
                "arn:aws:ssm:us-east-1:<accountID>:parameter/MySecureString"
            ]
        }
    ]
}

✅ 3. Testing that MySpecificFCodeDeployUser access SSM MySecureString :

Typped aws configure to logged as MySpecificFCodeDeployUser and try to run this command on my local computer :

aws --region=us-east-1 ssm get-parameter --name MySecureString --with-decryption --query Parameter.Value
RETURN ==> "postgres://user:password@endpoint.rds.amazonaws.com:5432/myDatabase"

Note that removing the IAM policies give me an Unauthorized request, so the IAM policy is correct.

4. Adding MySecureString to script executed by CodeDeploy :

Editing my AfterInstall script of my appspec.yml to add :

aws --region=us-east-1 ssm get-parameter --name MySecureString --with-decryption --query Parameter.Value >> .env

Gave me an a FAILED Build with stderr :

[stderr] An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::<id>:assumed-role/AmazonLightsailInstanceRole/<id> is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:<id>:parameter/MySecureString

I saw that Lightsail instance inherit from service-linked roles AWSServiceRoleForLightsail from https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-service-linked-roles.

Is there a way to add a new policy to my lightsail instance regarding the fact that it didn't seems to be CodeDeploy user needing it ?

GuillaumeRZ
  • 2,656
  • 4
  • 19
  • 35
  • Any stderr logs? – jellycsc Jul 20 '21 at 14:56
  • Where can I retrieve stderr from CodeDeploy ? When I went to my deployment, everything is marked as success (green flag). – GuillaumeRZ Jul 20 '21 at 14:57
  • Try `&>` and see what you get – jellycsc Jul 20 '21 at 15:04
  • `&>` in my `AfterInstall` script ? – GuillaumeRZ Jul 20 '21 at 15:05
  • yep, replace `>>` with `&>` – jellycsc Jul 20 '21 at 15:05
  • Same result after deploying. Success but my `.env` is empty. – GuillaumeRZ Jul 20 '21 at 15:07
  • That's weird. This means that no stderr is logged. – jellycsc Jul 20 '21 at 15:09
  • Can you run it as `aws --region=us-east-1 ssm get-parameter --name MySecureString --with-decryption --query Parameter.Value &> .env` (no echo, just the aws command). – Marcin Jul 24 '21 at 22:42
  • Nice ! I got `Failed - ScriptFailed`, but the error isn't clear : `Script at specified location: scripts/after_install.sh run as user bitnami failed with exit code 255` is it possible that it cames from my `appspec.yml` which got `runas: bitnami` ? – GuillaumeRZ Jul 25 '21 at 12:32
  • I managed to get an explicit log, as I understand, the IAM role I deployed should not be for `CodeDeploy` but for the `LightSail` instance. Is it possible to do that ? `[stderr]An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts:::assumed-role/AmazonLightsailInstanceRole/ is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1::parameter/MySecureString` – GuillaumeRZ Jul 25 '21 at 16:16
  • After some research, I found that LightSail inherit from IAM linked-roles that doesn't seems editable to add a specific permission : https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-service-linked-roles any clue on that ? Thanks. – GuillaumeRZ Jul 26 '21 at 08:58
  • If you want for a specific person to get notified about your comment, you need @Marcin tag them. Otherwise, no one will know you responded back to them. – Marcin Jul 27 '21 at 06:06
  • The error says that you are using `AmazonLightsailInstanceRole` role. In the question you are listing different role, called `MySpecificCodeDeployUser`? You have to find `AmazonLightsailInstanceRole` and add ssm and kms permissions to that role. – Marcin Jul 27 '21 at 06:10
  • Thanks @Marcin. I didn't create `AmazonLightsailInstanceRole` which seems inherited from AWS Lightsail linked-role. From my research right now, it doesn't seems possible to add a specific IAM policy to `AmazonLightsailInstanceRole`. Is it possible to execute `CodeDeploy` scripts with another role or instance than `AmazonLightsailInstanceRole` which seems to be my Lightsail Instance ? – GuillaumeRZ Jul 27 '21 at 12:03

1 Answers1

1

Is there a way to add a new policy to my lightsail instance regarding the fact that it didn't seems to be CodeDeploy user needing it ?

Sadly, you can't do this. To enable your applications on the lightsail instance to interact with AWS services, you have to do it yourself, by setting up .aws credentials and having your app using that (done automatically if you use AWS SDK).

Lightsail instances don't support user-based instance roles. For that you need regular EC2 instance as explained in:

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • As I undestand, it is possible to give the good right to the Lightsail instance, using a `.aws` or AWS SDK in my app, right @Marcin ? – GuillaumeRZ Jul 28 '21 at 13:26
  • 1
    @GuillaumeRZ Yes. You have to do it as you would on your local workstation. – Marcin Jul 28 '21 at 21:53
  • @GuillaumeRZ How did it go? Any progress? – Marcin Jul 31 '21 at 06:11
  • It works. Thanks. What I did : `aws configure` on my Lightsail instance, then create an Access Key on IAM for `MySpecificCodeDeployUser` and then paste the `secret key` and `key ID`. – GuillaumeRZ Aug 05 '21 at 12:51
  • @GuillaumeRZ Good it worked, but dissapointing the the bounty lapsed for the question :-( – Marcin Aug 05 '21 at 21:38
  • Sorry, took me some time to understand that it is possible only by using `aws configure` on the Lightsail instance... :( – GuillaumeRZ Aug 06 '21 at 08:09