# Getting started with CodeDeploy
**Topics**
+ [Step 1: Setting up](getting-started-setting-up.md)
+ [Step 2: Create a service role for CodeDeploy](getting-started-create-service-role.md)
+ [Step 3: Limit the CodeDeploy user's permissions](getting-started-policy.md)
+ [Step 4: Create an IAM instance profile for your Amazon EC2 instances](getting-started-create-iam-instance-profile.md)
# Step 1: Setting up
Before you use AWS CodeDeploy for the first time, you must complete setup steps. The steps involve creating an AWS account (if you don't already have one), and an administrative user with programmatic access.
In this guide, the administrative user is called the **CodeDeploy administrative user**.
## Sign up for an AWS account
If you do not have an AWS account, complete the following steps to create one.
**To sign up for an AWS account**
1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).
1. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.
When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).
AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.
## Create a user with administrative access
After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.
**Secure your AWS account root user**
1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.
1. Turn on multi-factor authentication (MFA) for your root user.
For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.
**Create a user with administrative access**
1. Enable IAM Identity Center.
For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.
1. In IAM Identity Center, grant administrative access to a user.
For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.
**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.
For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.
**Assign access to additional users**
1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.
For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.
1. Assign users to a group, and then assign single sign-on access to the group.
For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.
You have now created and signed in as the **CodeDeploy administrative user**.
## Grant programmatic access
Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS.
To grant users programmatic access, choose one of the following options.
****
| Which user needs programmatic access? | To | By |
| --- | --- | --- |
| IAM | (Recommended) Use console credentials as temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-setting-up.html) |
| Workforce identity (Users managed in IAM Identity Center) | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-setting-up.html) |
| IAM | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions in [Using temporary credentials with AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the IAM User Guide. |
| IAM | (Not recommended)Use long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-setting-up.html) |
**Important**
We strongly recommend you configure the CodeDeploy adminstrative user as a workforce identity (a user managed in IAM Identity Center) with the AWS CLI. Many of the procedures in this guide assume you're using the AWS CLI to perform configurations.
**Important**
If you configure the AWS CLI, you may be prompted to specify an AWS Region. Choose one of the supported Regions listed in [Region and endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#codedeploy_region) in the *AWS General Reference*.
# Step 2: Create a service role for CodeDeploy
In AWS, service roles are used to grant permissions to an AWS service so it can access AWS resources. The policies that you attach to the service role determine which resources the service can access and what it can do with those resources.
The service role you create for CodeDeploy must be granted the permissions required for your compute platform. If you deploy to more than one compute platform, create one service role for each. To add permissions, attach one or more of the following AWS supplied policies:
For EC2/On-Premises deployments, attach the **AWSCodeDeployRole** policy. It provides the permissions for your service role to:
+ Read the tags on your instances or identify your Amazon EC2 instances by Amazon EC2 Auto Scaling group names.
+ Read, create, update, and delete Amazon EC2 Auto Scaling groups, lifecycle hooks, and scaling policies.
+ Publish information to Amazon SNS topics.
+ Retrieve information about CloudWatch alarms.
+ Read and update Elastic Load Balancing.
**Note**
If you create your Auto Scaling group with a launch template, you must add the following permissions:
`ec2:RunInstances`
`ec2:CreateTags`
`iam:PassRole`
For more information, see [Step 2: Create a service role](#getting-started-create-service-role), [Creating a launch template for an Auto Scaling group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-launch-template.html), and [Launch template support](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-launch-template-permissions.html) in the *Amazon EC2 Auto Scaling User Guide*.
For Amazon ECS deployments, if you want full access to support services, attach the **AWSCodeDeployRoleForECS** policy. It provides the permissions for your service role to:
+ Read, update, and delete Amazon ECS task sets.
+ Update Elastic Load Balancing target groups, listeners, and rules.
+ Invoke AWS Lambda functions.
+ Access revision files in Amazon S3 buckets.
+ Retrieve information about CloudWatch alarms.
+ Publish information to Amazon SNS topics.
For Amazon ECS deployments, if you want limited access to support services, attach the **AWSCodeDeployRoleForECSLimited** policy. It provides the permissions for your service role to:
+ Read, update, and delete Amazon ECS task sets.
+ Retrieve information about CloudWatch alarms.
+ Publish information to Amazon SNS topics.
For AWS Lambda deployments, if you want to allow publishing to Amazon SNS, attach the **AWSCodeDeployRoleForLambda** policy. It provides the permissions for your service role to:
+ Read, update, and invoke AWS Lambda functions and aliases.
+ Access revision files in Amazon S3 buckets.
+ Retrieve information about CloudWatch alarms.
+ Publish information to Amazon SNS topics.
For AWS Lambda deployments, if you want to limit access to Amazon SNS, attach the **AWSCodeDeployRoleForLambdaLimited** policy. It provides the permissions for your service role to:
+ Read, update, and invoke AWS Lambda functions and aliases.
+ Access revision files in Amazon S3 buckets.
+ Retrieve information about CloudWatch alarms.
As part of setting up the service role, you also update its trust relationship to specify the endpoints to which you want to grant it access.
You can create a service role with the IAM console, the AWS CLI, or the IAM APIs.
**Topics**
+ [Create a service role (console)](#getting-started-create-service-role-console)
+ [Create a service role (CLI)](#getting-started-create-service-role-cli)
+ [Get the service role ARN (console)](#getting-started-get-service-role-console)
+ [Get the service role ARN (CLI)](#getting-started-get-service-role-cli)
## Create a service role (console)
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**, and then choose **Create role**.
1. Choose **AWS service**, and under **Use case**, from the drop-down list, choose **CodeDeploy**.
1. Choose your use case:
+ For EC2/On-Premises deployments, choose **CodeDeploy**.
+ For AWS Lambda deployments, choose **CodeDeploy for Lambda**.
+ For Amazon ECS deployments, choose **CodeDeploy - ECS**.
1. Choose **Next**.
1. On the **Add permissions** page, the correct permissions policy for the use case is displayed. Choose **Next**.
1. On the **Name, review, and create** page, in **Role name**, enter a name for the service role (for example, **CodeDeployServiceRole**), and then choose **Create role**.
You can also enter a description for this service role in **Role description**.
1. If you want this service role to have permission to access all currently supported endpoints, you are finished with this procedure.
To restrict this service role from access to some endpoints, continue with the remaining steps in this procedure.
1. In the list of roles, search for and choose the role you just created (`CodeDeployServiceRole`).
1. Choose the **Trust relationships** tab.
1. Choose **Edit trust policy**.
You should see the following policy, which provides the service role permission to access all supported endpoints:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
To grant the service role access to only some supported endpoints, replace the contents of the trust policy text box with the following policy. Remove the lines for the endpoints you want to prevent access to, and then choose **Update policy**.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.us-east-1.amazonaws.com",
"codedeploy.us-east-2.amazonaws.com",
"codedeploy.us-west-1.amazonaws.com",
"codedeploy.us-west-2.amazonaws.com",
"codedeploy.ca-central-1.amazonaws.com",
"codedeploy.ap-east-1.amazonaws.com",
"codedeploy.ap-northeast-1.amazonaws.com",
"codedeploy.ap-northeast-2.amazonaws.com",
"codedeploy.ap-northeast-3.amazonaws.com",
"codedeploy.ap-southeast-1.amazonaws.com",
"codedeploy.ap-southeast-2.amazonaws.com",
"codedeploy.ap-southeast-3.amazonaws.com",
"codedeploy.ap-southeast-4.amazonaws.com",
"codedeploy.ap-south-1.amazonaws.com",
"codedeploy.ap-south-2.amazonaws.com",
"codedeploy.ca-central-1.amazonaws.com",
"codedeploy.eu-west-1.amazonaws.com",
"codedeploy.eu-west-2.amazonaws.com",
"codedeploy.eu-west-3.amazonaws.com",
"codedeploy.eu-central-1.amazonaws.com",
"codedeploy.eu-central-2.amazonaws.com",
"codedeploy.eu-north-1.amazonaws.com",
"codedeploy.eu-south-1.amazonaws.com",
"codedeploy.eu-south-2.amazonaws.com",
"codedeploy.il-central-1.amazonaws.com",
"codedeploy.me-central-1.amazonaws.com",
"codedeploy.me-south-1.amazonaws.com",
"codedeploy.sa-east-1.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
For more information about creating service roles, see [Creating a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-creatingrole-service.html) in the *IAM User Guide*.
## Create a service role (CLI)
1. On your development machine, create a text file named, for example, `CodeDeployDemo-Trust.json`. This file is used to allow CodeDeploy to work on your behalf.
Do one of the following:
+ To grant access to all supported AWS Regions, save the following content in the file:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
+ To grant access to only some supported regions, type the following content into the file, and remove the lines for the regions to which you want to exclude access:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.us-east-1.amazonaws.com",
"codedeploy.us-east-2.amazonaws.com",
"codedeploy.us-west-1.amazonaws.com",
"codedeploy.us-west-2.amazonaws.com",
"codedeploy.ca-central-1.amazonaws.com",
"codedeploy.ap-east-1.amazonaws.com",
"codedeploy.ap-northeast-1.amazonaws.com",
"codedeploy.ap-northeast-2.amazonaws.com",
"codedeploy.ap-northeast-3.amazonaws.com",
"codedeploy.ap-southeast-1.amazonaws.com",
"codedeploy.ap-southeast-2.amazonaws.com",
"codedeploy.ap-southeast-3.amazonaws.com",
"codedeploy.ap-southeast-4.amazonaws.com",
"codedeploy.ap-south-1.amazonaws.com",
"codedeploy.ap-south-2.amazonaws.com",
"codedeploy.ca-central-1.amazonaws.com",
"codedeploy.eu-west-1.amazonaws.com",
"codedeploy.eu-west-2.amazonaws.com",
"codedeploy.eu-west-3.amazonaws.com",
"codedeploy.eu-central-1.amazonaws.com",
"codedeploy.eu-central-2.amazonaws.com",
"codedeploy.eu-north-1.amazonaws.com",
"codedeploy.eu-south-1.amazonaws.com",
"codedeploy.eu-south-2.amazonaws.com",
"codedeploy.il-central-1.amazonaws.com",
"codedeploy.me-central-1.amazonaws.com",
"codedeploy.me-south-1.amazonaws.com",
"codedeploy.sa-east-1.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
**Note**
Do not use a comma after the last endpoint in the list.
1. From the same directory, call the **create-role** command to create a service role named **CodeDeployServiceRole** based on the information in the text file you just created:
```
aws iam create-role --role-name CodeDeployServiceRole --assume-role-policy-document file://CodeDeployDemo-Trust.json
```
**Important**
Be sure to include `file://` before the file name. It is required in this command.
In the command's output, make a note of the value of the `Arn` entry under the `Role` object. You need it later when you create deployment groups. If you forget the value, follow the instructions in [Get the service role ARN (CLI)](#getting-started-get-service-role-cli).
1. The managed policy you use depends on the compute platform.
+ If your deployment is to an EC2/On-Premises compute platform:
Call the **attach-role-policy** command to give the service role named **CodeDeployServiceRole** the permissions based on the IAM managed policy named **AWSCodeDeployRole**. For example:
```
aws iam attach-role-policy --role-name CodeDeployServiceRole --policy-arn arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole
```
+ If your deployment is to an AWS Lambda compute platform:
Call the **attach-role-policy** command to give the service role named **CodeDeployServiceRole** the permissions based on the IAM managed policy named **AWSCodeDeployRoleForLambda** or **AWSCodeDeployRoleForLambdaLimited**. For example:
```
aws iam attach-role-policy --role-name CodeDeployServiceRole --policy-arn arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda
```
+ If your deployment is to an Amazon ECS compute platform:
Call the **attach-role-policy** command to give the service role named **CodeDeployServiceRole** the permissions based on the IAM managed policy named **AWSCodeDeployRoleForECS** or **AWSCodeDeployRoleForECSLimited**. For example:
```
aws iam attach-role-policy --role-name CodeDeployServiceRole --policy-arn arn:aws:iam::aws:policy/AWSCodeDeployRoleForECS
```
For more information about creating service roles, see [Creating a role for an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-xacct.html) in the *IAM User Guide*.
## Get the service role ARN (console)
To use the IAM console to get the ARN of the service role:
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**.
1. In the **Filter** box, type **CodeDeployServiceRole**, and then press Enter.
1. Choose **CodeDeployServiceRole**.
1. Make a note of the value of the **Role ARN** field.
## Get the service role ARN (CLI)
To use the AWS CLI to get the ARN of the service role, call the **get-role** command against the service role named **CodeDeployServiceRole**:
```
aws iam get-role --role-name CodeDeployServiceRole --query "Role.Arn" --output text
```
The value returned is the ARN of the service role.
# Step 3: Limit the CodeDeploy user's permissions
For security reasons, we recommend that you limit the permissions of the administrative user that you created in [Step 1: Setting up](getting-started-setting-up.md) to just those required to create and manage deployments in CodeDeploy.
Use the following series of procedures to limit the CodeDeploy administrative user's permissions.
**Before you begin**
+ Make sure you have created a CodeDeploy administrative user in IAM Identity Center following the instructions in [Step 1: Setting up](getting-started-setting-up.md).
**To create a permission set**
You'll assign this permission set to the CodeDeploy administrative user later.
1. Sign in to the AWS Management Console and open the AWS IAM Identity Center console at [https://console.aws.amazon.com/singlesignon/](https://console.aws.amazon.com/singlesignon/).
1. In the navigation pane, choose **Permission sets**, and then choose **Create permission set**.
1. Choose **Custom permission set**.
1. Choose **Next**.
1. Choose **Inline policy**.
1. Remove the sample code.
1. Add the following policy code:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CodeDeployAccessPolicy",
"Effect": "Allow",
"Action": [
"autoscaling:*",
"codedeploy:*",
"ec2:*",
"lambda:*",
"ecs:*",
"elasticloadbalancing:*",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"s3:*",
"ssm:*"
],
"Resource": "*"
},
{
"Sid": "CodeDeployRolePolicy",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::111122223333:role/CodeDeployServiceRole"
}
]
}
```
------
In this policy, replace *arn:aws:iam::account-ID:role/CodeDeployServiceRole* with the ARN value of the CodeDeploy service role that you created in [Step 2: Create a service role for CodeDeploy](getting-started-create-service-role.md). You can find the ARN value in the details page of the service role in the IAM console.
The preceding policy lets you deploy an application to an AWS Lambda compute platform, an EC2/On-Premises compute platform, and an Amazon ECS compute platform.
You can use the CloudFormation templates provided in this documentation to launch Amazon EC2 instances that are compatible with CodeDeploy. To use CloudFormation templates to create applications, deployment groups, or deployment configurations, you must provide access to CloudFormation—and AWS services and actions that CloudFormation depends on—by adding the `cloudformation:*` permission to the CodeDeploy administrative user's permission policy, like this:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:*"
],
"Resource": "*"
}
]
}
```
------
1. Choose **Next**.
1. In **Permission set name**, enter:
```
CodeDeployUserPermissionSet
```
1. Choose **Next**.
1. On the **Review and create** page, review the information and choose **Create**.
**To assign the permission set to the CodeDeploy administrative user**
1. In the navigation pane, choose **AWS accounts**, and then select the check box next to the AWS account that you're currently signed in to.
1. Choose the **Assign users or groups** button.
1. Choose the **Users** tab.
1. Select the check box next to the CodeDeploy administrative user.
1. Choose **Next**.
1. Select the check box next to `CodeDeployUserPermissionSet`.
1. Choose **Next**.
1. Review the information and choose **Submit**.
You have now assigned the CodeDeploy administrative user and `CodeDeployUserPermissionSet` to your AWS account, binding them together.
**To sign out and sign back in as the CodeDeploy administrative user**
1. Before you sign out, make sure you have the AWS access portal URL and the username and one-time password for the CodeDeploy adminstrative user.
**Note**
If you do not have this information, go to the CodeDeploy adminstrative user details page in IAM Identity Center, choose **Reset password**, **Generate a one-time password [...]**, and **Reset password** again to display the information on the screen.
1. Sign out of AWS.
1. Paste the AWS access portal URL into your browser's address bar.
1. Sign in as the CodeDeploy adminstrative user.
An **AWS account** box appears on the screen.
1. Choose **AWS account**, and then choose the name of the AWS account to which you assigned the CodeDeploy adminstrative user and permission set.
1. Next to the `CodeDeployUserPermissionSet`, choose **Management console**.
The AWS Management Console appears. You are now signed in as the CodeDeploy adminstrative user with the limited permissions. You can now perform CodeDeploy-related operations, and *only* CodeDeploy-related operations, as this user.
# Step 4: Create an IAM instance profile for your Amazon EC2 instances
**Note**
If you are using the Amazon ECS or AWS Lambda compute platform , skip this step.
Your Amazon EC2 instances need permission to access the Amazon S3 buckets or GitHub repositories where the applications are stored. To launch Amazon EC2 instances that are compatible with CodeDeploy, you must create an additional IAM role, an *instance profile*. These instructions show you how to create an IAM instance profile to attach to your Amazon EC2 instances. This role gives the CodeDeploy agent permission to access the Amazon S3 buckets or GitHub repositories where your applications are stored.
You can create an IAM instance profile with the AWS CLI, the IAM console, or the IAM APIs.
**Note**
You can attach an IAM instance profile to an Amazon EC2 instance as you launch it or to a previously launched instance. For more information, see [Instance profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-usingrole-instanceprofile.html).
**Topics**
+ [Create an IAM instance profile for your Amazon EC2 instances (CLI)](#getting-started-create-iam-instance-profile-cli)
+ [Create an IAM instance profile for your Amazon EC2 instances (console)](#getting-started-create-iam-instance-profile-console)
## Create an IAM instance profile for your Amazon EC2 instances (CLI)
In these steps, we assume you have already followed the instructions in the first three steps of [Getting started with CodeDeploy](getting-started-codedeploy.md).
1. On your development machine, create a text file named `CodeDeployDemo-EC2-Trust.json`. Paste the following content, which allows Amazon EC2 to work on your behalf:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.cn-north-1.amazonaws.com",
"ec2.cn-northwest-1.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. In the same directory, create a text file named `CodeDeployDemo-EC2-Permissions.json`. Paste the following content:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
**Note**
We recommend that you restrict this policy to only those Amazon S3 buckets your Amazon EC2 instances must access. Make sure to give access to the Amazon S3 buckets that contain the CodeDeploy agent. Otherwise, an error might occur when the CodeDeploy agent is installed or updated on the instances. To grant the IAM instance profile access to only some CodeDeploy resource kit buckets in Amazon S3, use the following policy, but remove the lines for buckets you want to prevent access to:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*",
"arn:aws:s3:::aws-codedeploy-us-east-2/*",
"arn:aws:s3:::aws-codedeploy-us-east-1/*",
"arn:aws:s3:::aws-codedeploy-us-west-1/*",
"arn:aws:s3:::aws-codedeploy-us-west-2/*",
"arn:aws:s3:::aws-codedeploy-ca-central-1/*",
"arn:aws:s3:::aws-codedeploy-eu-west-1/*",
"arn:aws:s3:::aws-codedeploy-eu-west-2/*",
"arn:aws:s3:::aws-codedeploy-eu-west-3/*",
"arn:aws:s3:::aws-codedeploy-eu-central-1/*",
"arn:aws:s3:::aws-codedeploy-eu-central-2/*",
"arn:aws:s3:::aws-codedeploy-eu-north-1/*",
"arn:aws:s3:::aws-codedeploy-eu-south-1/*",
"arn:aws:s3:::aws-codedeploy-eu-south-2/*",
"arn:aws:s3:::aws-codedeploy-il-central-1/*",
"arn:aws:s3:::aws-codedeploy-ap-east-1/*",
"arn:aws:s3:::aws-codedeploy-ap-northeast-1/*",
"arn:aws:s3:::aws-codedeploy-ap-northeast-2/*",
"arn:aws:s3:::aws-codedeploy-ap-northeast-3/*",
"arn:aws:s3:::aws-codedeploy-ap-southeast-1/*",
"arn:aws:s3:::aws-codedeploy-ap-southeast-2/*",
"arn:aws:s3:::aws-codedeploy-ap-southeast-3/*",
"arn:aws:s3:::aws-codedeploy-ap-southeast-4/*",
"arn:aws:s3:::aws-codedeploy-ap-south-1/*",
"arn:aws:s3:::aws-codedeploy-ap-south-2/*",
"arn:aws:s3:::aws-codedeploy-me-central-1/*",
"arn:aws:s3:::aws-codedeploy-me-south-1/*",
"arn:aws:s3:::aws-codedeploy-sa-east-1/*"
]
}
]
}
```
**Note**
If you want to use [ IAM authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-authorization) or Amazon Virtual Private Cloud (VPC) endpoints with CodeDeploy, you will need to add more permissions. See [Use CodeDeploy with Amazon Virtual Private Cloud](https://docs.aws.amazon.com/codedeploy/latest/userguide/vpc-endpoints) for more information.
1. From the same directory, call the **create-role** command to create an IAM role named **CodeDeployDemo-EC2-Instance-Profile**, based on the information in the first file:
**Important**
Be sure to include `file://` before the file name. It is required in this command.
```
aws iam create-role --role-name CodeDeployDemo-EC2-Instance-Profile --assume-role-policy-document file://CodeDeployDemo-EC2-Trust.json
```
1. From the same directory, call the **put-role-policy** command to give the role named **CodeDeployDemo-EC2-Instance-Profile** the permissions based on the information in the second file:
**Important**
Be sure to include `file://` before the file name. It is required in this command.
```
aws iam put-role-policy --role-name CodeDeployDemo-EC2-Instance-Profile --policy-name CodeDeployDemo-EC2-Permissions --policy-document file://CodeDeployDemo-EC2-Permissions.json
```
1. Call the **attach-role-policy** to give the role Amazon EC2 Systems Manager permissions so that SSM can install the CodeDeploy agent. This policy is not needed if you plan to install the agent from the public Amazon S3 bucket with the command line. Learn more about [ installing the CodeDeploy agent](https://docs.aws.amazon.com/codedeploy/latest/userguide/codedeploy-agent-operations-install.html).
```
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore --role-name CodeDeployDemo-EC2-Instance-Profile
```
1. Call the **create-instance-profile** command followed by the **add-role-to-instance-profile** command to create an IAM instance profile named **CodeDeployDemo-EC2-Instance-Profile**. The instance profile allows Amazon EC2 to pass the IAM role named **CodeDeployDemo-EC2-Instance-Profile** to an Amazon EC2 instance when the instance is first launched:
```
aws iam create-instance-profile --instance-profile-name CodeDeployDemo-EC2-Instance-Profile
aws iam add-role-to-instance-profile --instance-profile-name CodeDeployDemo-EC2-Instance-Profile --role-name CodeDeployDemo-EC2-Instance-Profile
```
If you need to get the name of the IAM instance profile, see [list-instance-profiles-for-role](https://docs.aws.amazon.com/cli/latest/reference/iam/list-instance-profiles-for-role.html) in the IAM section of the *AWS CLI Reference*.
You've now created an IAM instance profile to attach to your Amazon EC2 instances. For more information, see [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) in the *Amazon EC2 User Guide*.
## Create an IAM instance profile for your Amazon EC2 instances (console)
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the IAM console, in the navigation pane, choose **Policies**, and then choose **Create policy**.
1. On the **Specify permissions** page, choose **JSON**.
1. Remove the example `JSON` code.
1. Paste the following code:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
**Note**
We recommend that you restrict this policy to only those Amazon S3 buckets your Amazon EC2 instances must access. Make sure to give access to the Amazon S3 buckets that contain the CodeDeploy agent. Otherwise, an error might occur when the CodeDeploy agent is installed or updated on the instances. To grant the IAM instance profile access to only some CodeDeploy resource kit buckets in Amazon S3, use the following policy, but remove the lines for buckets you want to prevent access to:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*",
"arn:aws:s3:::aws-codedeploy-us-east-2/*",
"arn:aws:s3:::aws-codedeploy-us-east-1/*",
"arn:aws:s3:::aws-codedeploy-us-west-1/*",
"arn:aws:s3:::aws-codedeploy-us-west-2/*",
"arn:aws:s3:::aws-codedeploy-ca-central-1/*",
"arn:aws:s3:::aws-codedeploy-eu-west-1/*",
"arn:aws:s3:::aws-codedeploy-eu-west-2/*",
"arn:aws:s3:::aws-codedeploy-eu-west-3/*",
"arn:aws:s3:::aws-codedeploy-eu-central-1/*",
"arn:aws:s3:::aws-codedeploy-eu-central-2/*",
"arn:aws:s3:::aws-codedeploy-eu-north-1/*",
"arn:aws:s3:::aws-codedeploy-eu-south-1/*",
"arn:aws:s3:::aws-codedeploy-eu-south-2/*",
"arn:aws:s3:::aws-codedeploy-il-central-1/*",
"arn:aws:s3:::aws-codedeploy-ap-east-1/*",
"arn:aws:s3:::aws-codedeploy-ap-northeast-1/*",
"arn:aws:s3:::aws-codedeploy-ap-northeast-2/*",
"arn:aws:s3:::aws-codedeploy-ap-northeast-3/*",
"arn:aws:s3:::aws-codedeploy-ap-southeast-1/*",
"arn:aws:s3:::aws-codedeploy-ap-southeast-2/*",
"arn:aws:s3:::aws-codedeploy-ap-southeast-3/*",
"arn:aws:s3:::aws-codedeploy-ap-southeast-4/*",
"arn:aws:s3:::aws-codedeploy-ap-south-1/*",
"arn:aws:s3:::aws-codedeploy-ap-south-2/*",
"arn:aws:s3:::aws-codedeploy-me-central-1/*",
"arn:aws:s3:::aws-codedeploy-me-south-1/*",
"arn:aws:s3:::aws-codedeploy-sa-east-1/*"
]
}
]
}
```
**Note**
If you want to use [ IAM authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-authorization) or Amazon Virtual Private Cloud (VPC) endpoints with CodeDeploy, you will need to add more permissions. See [Use CodeDeploy with Amazon Virtual Private Cloud](https://docs.aws.amazon.com/codedeploy/latest/userguide/vpc-endpoints) for more information.
1. Choose **Next**.
1. On the **Review and create** page, in the **Policy name** box, type **CodeDeployDemo-EC2-Permissions**.
1. (Optional) For **Description**, type a description for the policy.
1. Choose **Create policy**.
1. In the navigation pane, choose **Roles**, and then choose **Create role**.
1. Under **Use case**, choose the **EC2** use case.
1. Choose **Next**.
1. In the list of policies, select the check box next to the policy you just created (**CodeDeployDemo-EC2-Permissions**). If necessary, use the search box to find the policy.
1. To use Systems Manager to install or configure the CodeDeploy agent, select the check box next to **AmazonSSMManagedInstanceCore**. This AWS managed policy enables an instance to use Systems Manager service core functionality. If necessary, use the search box to find the policy. This policy is not needed if you plan to install the agent from the public Amazon S3 bucket with the command line. Learn more about [ installing the CodeDeploy agent](https://docs.aws.amazon.com/codedeploy/latest/userguide/codedeploy-agent-operations-install.html).
1. Choose **Next**.
1. On the **Name, review, and create** page, in **Role name**, enter a name for the service role (for example, **CodeDeployDemo-EC2-Instance-Profile**), and then choose **Create role**.
You can also enter a description for this service role in **Role description**.
You've now created an IAM instance profile to attach to your Amazon EC2 instances. For more information, see [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) in the *Amazon EC2 User Guide*.