Menu
AWS CodeDeploy
User Guide (API Version 2014-10-06)

Step 4: Create an IAM Instance Profile for Your Amazon EC2 Instances

Your Amazon EC2 instances need permission to access the Amazon S3 buckets or GitHub repositories where the applications that will be deployed by AWS CodeDeploy are stored. To launch Amazon EC2 instances that are compatible with AWS CodeDeploy, you must create an additional IAM role, an instance profile. These instructions show you how to create an IAM instance profile to attach to your Amazon EC2 instances. This role gives AWS CodeDeploy permission to access the Amazon S3 buckets or GitHub repositories where your applications are stored.

You can create an IAM instance profile with the AWS CLI, the IAM console, or the IAM APIs.

Note

You can attach an IAM instance profile to an Amazon EC2 instance as you launch it or to a previously launched instance. For more information, see Instance Profiles.

Create an IAM Instance Profile for Your Amazon EC2 Instances (CLI)

In these steps, we assume you have already followed the instructions in Getting Started.

  1. On your development machine, create a text file named CodeDeployDemo-EC2-Trust.json. Paste the following content, which allows Amazon EC2 to work on your behalf:

    Copy
    { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
  2. In the same directory, create a text file named CodeDeployDemo-EC2-Permissions.json. Paste the following content:

    Copy
    { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:Get*", "s3:List*" ], "Effect": "Allow", "Resource": "*" } ] }

    Note

    We recommend that you restrict this policy to only those Amazon S3 buckets your Amazon EC2 instances must access. Make sure to give access to the Amazon S3 buckets that contain the AWS CodeDeploy agent. Otherwise, an error may occur when the AWS CodeDeploy agent is installed or updated on the instances. For example:

    Copy
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::codedeploydemobucket/*", "arn:aws:s3:::aws-codedeploy-us-east-2/*", "arn:aws:s3:::aws-codedeploy-us-east-1/*", "arn:aws:s3:::aws-codedeploy-us-west-1/*", "arn:aws:s3:::aws-codedeploy-us-west-2/*", "arn:aws:s3:::aws-codedeploy-ca-central-1/*", "arn:aws:s3:::aws-codedeploy-eu-west-1/*", "arn:aws:s3:::aws-codedeploy-eu-west-2/*", "arn:aws:s3:::aws-codedeploy-eu-central-1/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-1/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-2/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-1/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-2/*", "arn:aws:s3:::aws-codedeploy-ap-south-1/*", "arn:aws:s3:::aws-codedeploy-sa-east-1/*", "arn:aws-cn:s3:::aws-codedeploy-cn-north-1/*" ] } ] }
  3. From the same directory, call the create-role command to create an IAM role named CodeDeployDemo-EC2-Instance-Profile, based on the information in the first file:

    Important

    Be sure to include file:// before the file name. It is required in this command.

    Copy
    aws iam create-role --role-name CodeDeployDemo-EC2-Instance-Profile --assume-role-policy-document file://CodeDeployDemo-EC2-Trust.json
  4. From the same directory, call the put-role-policy command to give the role named CodeDeployDemo-EC2-Instance-Profile the permissions based on the information in the second file:

    Important

    Be sure to include file:// before the file name. It is required in this command.

    Copy
    aws iam put-role-policy --role-name CodeDeployDemo-EC2-Instance-Profile --policy-name CodeDeployDemo-EC2-Permissions --policy-document file://CodeDeployDemo-EC2-Permissions.json
  5. Call the create-instance-profile command followed by the add-role-to-instance-profile command to create an IAM instance profile named CodeDeployDemo-EC2-Instance-Profile. The instance profile allows Amazon EC2 to pass the IAM role named CodeDeployDemo-EC2-Instance-Profile to an Amazon EC2 instance when the instance is first launched:

    Copy
    aws iam create-instance-profile --instance-profile-name CodeDeployDemo-EC2-Instance-Profile aws iam add-role-to-instance-profile --instance-profile-name CodeDeployDemo-EC2-Instance-Profile --role-name CodeDeployDemo-EC2-Instance-Profile

    If you need to get the name of the IAM instance profile, see list-instance-profiles-for-role in the IAM section of the AWS CLI Reference.

You've now created an IAM instance profile to attach to your Amazon EC2 instances. For more information, see IAM Roles for Amazon EC2 in the Amazon EC2 User Guide.

Create an IAM Instance Profile for Your Amazon EC2 Instances (Console)

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the IAM console, in the navigation pane, choose Policies, and then choose Create policy. (If a Get Started button appears, choose it, and then choose Create Policy.)

  3. Next to Create Your Own Policy, choose Select.

  4. In the Policy Name box, type CodeDeployDemo-EC2-Permissions.

  5. In the Policy Document box, paste the following:

    Copy
    { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:Get*", "s3:List*" ], "Effect": "Allow", "Resource": "*" } ] }

    Note

    We recommend that you restrict this policy to only those Amazon S3 buckets your Amazon EC2 instances must access. Make sure to give access to the Amazon S3 buckets that contain the AWS CodeDeploy agent. Otherwise, an error may occur when the AWS CodeDeploy agent is installed or updated on the instances. For example:

    Copy
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::codedeploydemobucket/*", "arn:aws:s3:::aws-codedeploy-us-east-2/*", "arn:aws:s3:::aws-codedeploy-us-east-1/*", "arn:aws:s3:::aws-codedeploy-us-west-1/*", "arn:aws:s3:::aws-codedeploy-us-west-2/*", "arn:aws:s3:::aws-codedeploy-ca-central-1/*", "arn:aws:s3:::aws-codedeploy-eu-west-1/*", "arn:aws:s3:::aws-codedeploy-eu-west-2/*", "arn:aws:s3:::aws-codedeploy-eu-central-1/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-1/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-2/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-1/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-2/*", "arn:aws:s3:::aws-codedeploy-ap-south-1/*", "arn:aws:s3:::aws-codedeploy-sa-east-1/*", "arn:aws-cn:s3:::aws-codedeploy-cn-north-1/*" ] } ] }
  6. Choose Create Policy.

  7. In the navigation pane, choose Roles, and then choose Create new role.

  8. On the Select role type page, in the AWS Service Role list, next to Amazon EC2, choose Select.

  9. On the Attach Policy page, select the box next to CodeDeployDemo-EC2-Permissions, and then choose Next Step.

  10. In the Role name box, give the IAM instance profile a name like CodeDeployDemo-EC2-Instance-Profile, and then choose Create role.

You've now created an IAM instance profile to attach to your Amazon EC2 instances. For more information, see IAM Roles for Amazon EC2 in the Amazon EC2 User Guide.