Bitbucket integration with AWS CodeDeploy Roles Trust Relationship Error

Question

I am trying to deploy my sampleApplication code via AWS CodeDeploy for Bitbucket

I have used this tutorial, I have followed all the steps. Trust Relationship for role is like this

{
"Version": "2012-10-17",
"Statement": [
{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::accountId:root"
  },
  "Action": "sts:AssumeRole",
  "Condition": {
    "StringEquals": {
      "sts:ExternalId": "connectionId"
    }
  }
  }
 ]
}

and while I am creating a deployment group I got error of 'can't assume role' when I select above role as Service role ARN*.

{
"Version": "2012-10-17",
"Statement": [
{
  "Effect": "Allow",
  "Principal": {
    "Service": [
      "ec2.amazonaws.com",
      "codedeploy.amazonaws.com"
    ]
  },
  "Action": "sts:AssumeRole"
 }
]
}

But when I add above trust relationship I can crete deployment group but then aws integration on bitbucket doesn't work and throw error to add sufficient permission.

Are these all the roles / policies you have created? Can you post the permission error you are seeing? — Milk

Milk Milk · Accepted Answer · 2017-08-15T02:24:06

Neither of your posted roles have given permission to CodeCommit or S3.

As per the tutorial you linked, you must provide access to CodeCommit and S3. These are likely the permissions you are missing:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": ["s3:ListAllMyBuckets", "s3:PutObject"],
        "Resource": "arn:aws:s3:::*"
    }, {
        "Effect": "Allow",
        "Action": ["codedeploy:*"],
        "Resource": "*"
    }]
}

Bitbucket integration with AWS CodeDeploy Roles Trust Relationship Error

1 Answers