IAM Issue with CodeDeploy

0
votes

I'm having an issue with a seemingly trivial task of getting CodeDeploy to deploy Github code to an AutoScaling Group in a Blue/Green Deployment.

I have a Pipeline setup, a Deployment Group setup, AutoScaling Group, ELB, and LAUCH CONFIGURATION but it fails when it gets to the actual deployment: enter image description here

and this my roles in codeDeploy-roles

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "autoscaling:*",
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": "cloudwatch:PutMetricAlarm",
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeAccountAttributes",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeImages",
            "ec2:DescribeInstanceAttribute",
            "ec2:DescribeInstances",
            "ec2:DescribeKeyPairs",
            "ec2:DescribeLaunchTemplateVersions",
            "ec2:DescribePlacementGroups",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeSpotInstanceRequests",
            "ec2:DescribeSubnets",
            "ec2:DescribeVpcClassicLink"
        ],
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "elasticloadbalancing:DescribeLoadBalancers",
            "elasticloadbalancing:DescribeTargetGroups"
        ],
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": "iam:CreateServiceLinkedRole",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "iam:AWSServiceName": "autoscaling.amazonaws.com"
            }
        }
    }
]

}

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "autoscaling:CompleteLifecycleAction",
            "autoscaling:DeleteLifecycleHook",
            "autoscaling:DescribeAutoScalingGroups",
            "autoscaling:DescribeLifecycleHooks",
            "autoscaling:PutLifecycleHook",
            "autoscaling:RecordLifecycleActionHeartbeat",
            "autoscaling:CreateAutoScalingGroup",
            "autoscaling:UpdateAutoScalingGroup",
            "autoscaling:EnableMetricsCollection",
            "autoscaling:DescribeAutoScalingGroups",
            "autoscaling:DescribePolicies",
            "autoscaling:DescribeScheduledActions",
            "autoscaling:DescribeNotificationConfigurations",
            "autoscaling:DescribeLifecycleHooks",
            "autoscaling:SuspendProcesses",
            "autoscaling:ResumeProcesses",
            "autoscaling:AttachLoadBalancers",
            "autoscaling:AttachLoadBalancerTargetGroups",
            "autoscaling:PutScalingPolicy",
            "autoscaling:PutScheduledUpdateGroupAction",
            "autoscaling:PutNotificationConfiguration",
            "autoscaling:PutLifecycleHook",
            "autoscaling:DescribeScalingActivities",
            "autoscaling:DeleteAutoScalingGroup",
            "ec2:DescribeInstances",
            "ec2:DescribeInstanceStatus",
            "ec2:TerminateInstances",
            "tag:GetResources",
            "sns:Publish",
            "cloudwatch:DescribeAlarms",
            "cloudwatch:PutMetricAlarm",
            "elasticloadbalancing:DescribeLoadBalancers",
            "elasticloadbalancing:DescribeInstanceHealth",
            "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
            "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
            "elasticloadbalancing:DescribeTargetGroups",
            "elasticloadbalancing:DescribeTargetHealth",
            "elasticloadbalancing:RegisterTargets",
            "elasticloadbalancing:DeregisterTargets"
        ],
        "Resource": "*"
    }
]

}

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "iam:PassRole",
            "ec2:CreateTags",
            "ec2:RunInstances"
        ],
        "Resource": "*"
    }
]

}

enter image description here

Is there a policy that I'm not considering that needs to be attached to this role?

1
amazon-web-servicespipelineamazon-iamautoscalingaws-code-deploy
You need autoscaling group policy in the role! You can use your own or can use the aws managed policy! - error404
in first policy i use AutoScalingFullAccess - wayan edi
that is AWS managed policy! Can you paste the policy in the problem ? - error404
please cek the role in my problem - wayan edi
What is the trust policy of that role? - Marcin

1 Answers

0
votes

As I understood,I would rather following steps.

  1. You need to create a CodeDeployServiceRole and you just used built in policy.
  2. Create a CodeDeploy application and deployment group and assign your CodeDeployServiceRole there.
  3. In launch configuration you don't have to worry about CodeDeploy and just config you instance profile with required policies for instance operations.