codedeploy plugin

jphornor September 9, 2016

We're struggling to get the CodeDeploy plugin configured properly. 

We have an Elastic Beanstalk application tied to an S3 bucket. We created an IAM policy with the following: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:PutObject"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "codedeploy:*"
            ],
            "Resource": "arn:aws:s3:::<S3 Bucket Reference Per Instructions>"
        },
        {
            "Sid": "<Statement ID Autogenerated>",
            "Effect": "Allow",
            "Action": [
                "autoscaling:CompleteLifecycleAction",
                "autoscaling:DeleteLifecycleHook",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLifecycleHooks",
                "autoscaling:PutLifecycleHook",
                "autoscaling:RecordLifecycleActionHeartbeat"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

The policy has the following Trust Relationships: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<AWS Account ID Per Instructions>:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<Connection ID Per Instructions>"
        }
      }
    }
  ]
}

We have selected the proper AWS Region. 

When we attempt to Save and Continue, we either get an error like "Please check you have entered the correct ARN and the role has sufficient permissions" OR a server error. Nothing shows up in the server logs, so we're guessing no connection was actually made to the server. 

Any help would be greatly appreciated! 

1 answer

1 accepted

1 vote
Answer accepted
Tom Kane
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 9, 2016

I believe the problem lies with the codedeploy Resource in your IAM policy.

{
            "Effect": "Allow",
            "Action": [
                "codedeploy:*"
            ],
            "Resource": "arn:aws:s3:::<S3 Bucket Reference Per Instructions>"
        },

I tried setting Resource to my S3 bucket and I receive the same error. Various attempts at limiting Resource to one S3 bucket failed. The add-on needs the s3:ListAllMyBuckets action on arn:aws:s3:::* because it displays all buckets in a dropdown as the last configuration step. (AWS CodeDeploy might also need access to other resources like EC2 but this is just a guess.)

If you want to limit access, the following policy worked for me. Although the add-on can list all your buckets, you can limit s3:ListBucket, s3:PutObject, s3:GetObject, and s3:DeleteObject to the bucket for your CodeDeploy project.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<S3 Bucket Reference Per Instructions>"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<S3 Bucket Reference Per Instructions>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "codedeploy:*"
            ],
            "Resource": "*"
        }
    ]
}
jphornor September 9, 2016

That did the trick! Thanks so much, Tom! You're a life saver!

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events