Step 2: Create a service role for CodeDeploy
In AWS, service roles are used to grant permissions to an AWS service so it can access AWS resources. The policies that you attach to the service role determine which resources the service can access and what it can do with those resources.
The service role you create for CodeDeploy must be granted the permissions required for your compute platform. If you deploy to more than one compute platform, create one service role for each. To add permissions, attach one or more of the following AWS supplied policies:
For EC2/On-Premises deployments, attach the
AWSCodeDeployRole
policy. It provides the permissions for your
service role to:
-
Read the tags on your instances or identify your Amazon EC2 instances by Amazon EC2 Auto Scaling group names.
-
Read, create, update, and delete Amazon EC2 Auto Scaling groups, lifecycle hooks, and scaling policies.
-
Publish information to Amazon SNS topics.
-
Retrieve information about CloudWatch alarms.
-
Read and update Elastic Load Balancing.
Note
If you create your Auto Scaling group with a launch template, you must add the following permissions:
-
ec2:RunInstances
-
ec2:CreateTags
-
iam:PassRole
For more information, see Step 2: Create a service role, Creating a launch template for an Auto Scaling group, and Launch template support in the Amazon EC2 Auto Scaling User Guide.
-
For Amazon ECS deployments, if you want full access to support services, attach
the AWSCodeDeployRoleForECS
policy. It provides the permissions for
your service role to:
-
Read, update, and delete Amazon ECS task sets.
-
Update Elastic Load Balancing target groups, listeners, and rules.
-
Invoke AWS Lambda functions.
-
Access revision files in Amazon S3 buckets.
-
Retrieve information about CloudWatch alarms.
-
Publish information to Amazon SNS topics.
For Amazon ECS deployments, if you want limited access to support services,
attach the AWSCodeDeployRoleForECSLimited
policy. It provides the
permissions for your service role to:
-
Read, update, and delete Amazon ECS task sets.
-
Retrieve information about CloudWatch alarms.
-
Publish information to Amazon SNS topics.
For AWS Lambda deployments, if you want to allow publishing to Amazon SNS, attach
the AWSCodeDeployRoleForLambda
policy. It provides the permissions
for your service role to:
-
Read, update, and invoke AWS Lambda functions and aliases.
-
Access revision files in Amazon S3 buckets.
-
Retrieve information about CloudWatch alarms.
-
Publish information to Amazon SNS topics.
For AWS Lambda deployments, if you want to limit access to Amazon SNS, attach the
AWSCodeDeployRoleForLambdaLimited
policy. It provides the
permissions for your service role to:
-
Read, update, and invoke AWS Lambda functions and aliases.
-
Access revision files in Amazon S3 buckets.
-
Retrieve information about CloudWatch alarms.
As part of setting up the service role, you also update its trust relationship to specify the endpoints to which you want to grant it access.
You can create a service role with the IAM console, the AWS CLI, or the IAM APIs.
Topics
Create a service role (console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. In the navigation pane, choose Roles, and then choose Create role.
-
Choose AWS service, and under Use case, from the drop-down list, choose CodeDeploy.
-
Choose your use case:
-
For EC2/On-Premises deployments, choose CodeDeploy.
-
For AWS Lambda deployments, choose CodeDeploy for Lambda.
-
For Amazon ECS deployments, choose CodeDeploy - ECS.
-
Choose Next.
-
On the Add permissions page, the correct permissions policy for the use case is displayed. Choose Next.
-
On the Name, review, and create page, in Role name, enter a name for the service role (for example,
CodeDeployServiceRole
), and then choose Create role.You can also enter a description for this service role in Role description.
-
If you want this service role to have permission to access all currently supported endpoints, you are finished with this procedure.
To restrict this service role from access to some endpoints, continue with the remaining steps in this procedure.
In the list of roles, search for and choose the role you just created (
CodeDeployServiceRole
).-
Choose the Trust relationships tab.
Choose Edit trust policy.
You should see the following policy, which provides the service role permission to access all supported endpoints:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "codedeploy.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
To grant the service role access to only some supported endpoints, replace the contents of the trust policy text box with the following policy. Remove the lines for the endpoints you want to prevent access to, and then choose Update policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "codedeploy.us-east-1.amazonaws.com", "codedeploy.us-east-2.amazonaws.com", "codedeploy.us-west-1.amazonaws.com", "codedeploy.us-west-2.amazonaws.com", "codedeploy.ca-central-1.amazonaws.com", "codedeploy.ap-east-1.amazonaws.com", "codedeploy.ap-northeast-1.amazonaws.com", "codedeploy.ap-northeast-2.amazonaws.com", "codedeploy.ap-northeast-3.amazonaws.com", "codedeploy.ap-southeast-1.amazonaws.com", "codedeploy.ap-southeast-2.amazonaws.com", "codedeploy.ap-southeast-3.amazonaws.com", "codedeploy.ap-southeast-4.amazonaws.com", "codedeploy.ap-south-1.amazonaws.com", "codedeploy.ap-south-2.amazonaws.com", "codedeploy.ca-central-1.amazonaws.com", "codedeploy.eu-west-1.amazonaws.com", "codedeploy.eu-west-2.amazonaws.com", "codedeploy.eu-west-3.amazonaws.com", "codedeploy.eu-central-1.amazonaws.com", "codedeploy.eu-central-2.amazonaws.com", "codedeploy.eu-north-1.amazonaws.com", "codedeploy.eu-south-1.amazonaws.com", "codedeploy.eu-south-2.amazonaws.com", "codedeploy.il-central-1.amazonaws.com", "codedeploy.me-central-1.amazonaws.com", "codedeploy.me-south-1.amazonaws.com", "codedeploy.sa-east-1.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
For more information about creating service roles, see Creating a role to delegate permissions to an AWS service in the IAM User Guide.
Create a service role (CLI)
-
On your development machine, create a text file named, for example,
CodeDeployDemo-Trust.json
. This file is used to allow CodeDeploy to work on your behalf.Do one of the following:
-
To grant access to all supported AWS Regions, save the following content in the file:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "codedeploy.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
-
To grant access to only some supported regions, type the following content into the file, and remove the lines for the regions to which you want to exclude access:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "codedeploy.us-east-1.amazonaws.com", "codedeploy.us-east-2.amazonaws.com", "codedeploy.us-west-1.amazonaws.com", "codedeploy.us-west-2.amazonaws.com", "codedeploy.ca-central-1.amazonaws.com", "codedeploy.ap-east-1.amazonaws.com", "codedeploy.ap-northeast-1.amazonaws.com", "codedeploy.ap-northeast-2.amazonaws.com", "codedeploy.ap-northeast-3.amazonaws.com", "codedeploy.ap-southeast-1.amazonaws.com", "codedeploy.ap-southeast-2.amazonaws.com", "codedeploy.ap-southeast-3.amazonaws.com", "codedeploy.ap-southeast-4.amazonaws.com", "codedeploy.ap-south-1.amazonaws.com", "codedeploy.ap-south-2.amazonaws.com", "codedeploy.ca-central-1.amazonaws.com", "codedeploy.eu-west-1.amazonaws.com", "codedeploy.eu-west-2.amazonaws.com", "codedeploy.eu-west-3.amazonaws.com", "codedeploy.eu-central-1.amazonaws.com", "codedeploy.eu-central-2.amazonaws.com", "codedeploy.eu-north-1.amazonaws.com", "codedeploy.eu-south-1.amazonaws.com", "codedeploy.eu-south-2.amazonaws.com", "codedeploy.il-central-1.amazonaws.com", "codedeploy.me-central-1.amazonaws.com", "codedeploy.me-south-1.amazonaws.com", "codedeploy.sa-east-1.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
Note
Do not use a comma after the last endpoint in the list.
-
-
From the same directory, call the create-role command to create a service role named
CodeDeployServiceRole
based on the information in the text file you just created:aws iam create-role --role-name CodeDeployServiceRole --assume-role-policy-document file://CodeDeployDemo-Trust.json
Important
Be sure to include
file://
before the file name. It is required in this command.In the command's output, make a note of the value of the
Arn
entry under theRole
object. You need it later when you create deployment groups. If you forget the value, follow the instructions in Get the service role ARN (CLI) . -
The managed policy you use depends on the compute platform.
-
If your deployment is to an EC2/On-Premises compute platform:
Call the attach-role-policy command to give the service role named
CodeDeployServiceRole
the permissions based on the IAM managed policy namedAWSCodeDeployRole
. For example:aws iam attach-role-policy --role-name CodeDeployServiceRole --policy-arn arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole
-
If your deployment is to an AWS Lambda compute platform:
Call the attach-role-policy command to give the service role named
CodeDeployServiceRole
the permissions based on the IAM managed policy namedAWSCodeDeployRoleForLambda
orAWSCodeDeployRoleForLambdaLimited
. For example:aws iam attach-role-policy --role-name CodeDeployServiceRole --policy-arn arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda
-
If your deployment is to an Amazon ECS compute platform:
Call the attach-role-policy command to give the service role named
CodeDeployServiceRole
the permissions based on the IAM managed policy namedAWSCodeDeployRoleForECS
orAWSCodeDeployRoleForECSLimited
. For example:aws iam attach-role-policy --role-name CodeDeployServiceRole --policy-arn arn:aws:iam::aws:policy/AWSCodeDeployRoleForECS
-
For more information about creating service roles, see Creating a role for an AWS service in the IAM User Guide.
Get the service role ARN (console)
To use the IAM console to get the ARN of the service role:
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Roles.
-
In the Filter box, type
CodeDeployServiceRole
, and then press Enter. -
Choose CodeDeployServiceRole.
-
Make a note of the value of the Role ARN field.
Get the service role ARN (CLI)
To use the AWS CLI to get the ARN of the service role, call the get-role
command against the service role named CodeDeployServiceRole
:
aws iam get-role --role-name CodeDeployServiceRole --query "Role.Arn" --output text
The value returned is the ARN of the service role.