codedeploy plugin

We're struggling to get the CodeDeploy plugin configured properly. 

We have an Elastic Beanstalk application tied to an S3 bucket. We created an IAM policy with the following: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:PutObject"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "codedeploy:*"
            ],
            "Resource": "arn:aws:s3:::<S3 Bucket Reference Per Instructions>"
        },
        {
            "Sid": "<Statement ID Autogenerated>",
            "Effect": "Allow",
            "Action": [
                "autoscaling:CompleteLifecycleAction",
                "autoscaling:DeleteLifecycleHook",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLifecycleHooks",
                "autoscaling:PutLifecycleHook",
                "autoscaling:RecordLifecycleActionHeartbeat"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

The policy has the following Trust Relationships: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<AWS Account ID Per Instructions>:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<Connection ID Per Instructions>"
        }
      }
    }
  ]
}

We have selected the proper AWS Region. 

When we attempt to Save and Continue, we either get an error like "Please check you have entered the correct ARN and the role has sufficient permissions" OR a server error. Nothing shows up in the server logs, so we're guessing no connection was actually made to the server. 

Any help would be greatly appreciated! 

1 answer

1 accepted

This widget could not be displayed.
Tom Kane Atlassian Team Sep 09, 2016

I believe the problem lies with the codedeploy Resource in your IAM policy.

{
            "Effect": "Allow",
            "Action": [
                "codedeploy:*"
            ],
            "Resource": "arn:aws:s3:::<S3 Bucket Reference Per Instructions>"
        },

I tried setting Resource to my S3 bucket and I receive the same error. Various attempts at limiting Resource to one S3 bucket failed. The add-on needs the s3:ListAllMyBuckets action on arn:aws:s3:::* because it displays all buckets in a dropdown as the last configuration step. (AWS CodeDeploy might also need access to other resources like EC2 but this is just a guess.)

If you want to limit access, the following policy worked for me. Although the add-on can list all your buckets, you can limit s3:ListBucket, s3:PutObject, s3:GetObject, and s3:DeleteObject to the bucket for your CodeDeploy project.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<S3 Bucket Reference Per Instructions>"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<S3 Bucket Reference Per Instructions>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "codedeploy:*"
            ],
            "Resource": "*"
        }
    ]
}

That did the trick! Thanks so much, Tom! You're a life saver!

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Aug 21, 2018 in Bitbucket

Branch Management with Bitbucket

As a project manager, I have discovered that different developers want to bring their previous branching method with them when they join the team. Some developers are used to performing individual wo...

1,278 views 8 11
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you