Menu
AWS CodeDeploy
User Guide (API Version 2014-10-06)

Creating a Service Role for AWS CodeDeploy

To identify instances to which it can deploy applications, AWS CodeDeploy reads either the tags applied to the instances or the Auto Scaling group names associated with the instances. To do this, AWS CodeDeploy must be granted the permissions to access your instances.

You will use a special type of IAM role, a service role, to give AWS CodeDeploy these permissions.

The permissions you add to the service role specify the operations AWS CodeDeploy can perform when it accesses your Amazon EC2 instances and Auto Scaling groups. To add these permissions, attach an AWS-supplied policy, AWSCodeDeployRole, to the service role. You can review the details of AWSCodeDeployRole and other AWS CodeDeploy policies in User Access Permissions Reference.

As part of setting up the service role, you also update its trust relationship to specify the endpoints to which you want to grant it access.

You can create a service role with the IAM console, the AWS CLI, or the IAM APIs.

Create a Service Role (Console)

  1. Sign in to the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/.

    Important

    Make sure you are signed in to the AWS Management Console with the same account information you used in Setting Up.

  2. In the navigation pane, choose Roles, and then choose Create New Role.

  3. In the Role Name box, give the service role a name (for example, CodeDeployServiceRole), and then choose Next Step.

  4. On the Select Role Type page, with AWS Service Roles selected, next to AWS CodeDeploy, choose Select.

  5. On the Attach Policy page, select the box next to the AWSCodeDeployRole policy, and then choose Next Step.

    The AWSCodeDeployRole policy provides the permissions required for your service role to read the tags on your instances or identify your Amazon EC2 instances by Auto Scaling group names. By default, this policy also includes a trust relationship that grants your service role access to all of the endpoints currently supported by AWS CodeDeploy. You can restrict the service role's access to only those endpoints you specify.

  6. Note the value of the Role ARN field. You will need it later when you create deployment groups. If you forget the value, follow the instructions in Get the Service Role ARN (Console) .

  7. Choose Create Role.

  8. If you want this service role to have permission to access all currently supported endpoints, you are finished with this procedure.

    If you want to restrict this service role from accessing all endpoints, in the list of roles, browse to and choose the role you just created, and continue with the next step.

  9. Under Trust Relationships, choose Edit Trust Relationship.

  10. You should see the following policy, which provides the service role permission to access all supported endpoints:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "codedeploy.amazonaws.com"
            ]
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }

    To grant the service role access to only some supported endpoints, replace the contents of the Policy Document box with the following policy, remove the lines for the endpoints to which you want to exclude access, and then choose Update Trust Policy.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "codedeploy.us-east-1.amazonaws.com", 
              "codedeploy.us-west-1.amazonaws.com",
              "codedeploy.us-west-2.amazonaws.com",
              "codedeploy.eu-west-1.amazonaws.com",
              "codedeploy.eu-central-1.amazonaws.com",
              "codedeploy.ap-northeast-1.amazonaws.com",
              "codedeploy.ap-southeast-1.amazonaws.com",
              "codedeploy.ap-southeast-2.amazonaws.com",
              "codedeploy.sa-east-1.amazonaws.com"
            ]
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }

    Note

    Do not use a comma in the last line of the policy.

For more information about creating service roles, see Creating a Role to Delegate Permissions to an AWS Service in the IAM User Guide.

Create a Service Role (CLI)

  1. On your development machine, create a text file named, for example, CodeDeployDemo-Trust.json. This file will be used to allow AWS CodeDeploy to work on your behalf.

    Do one of the following:

    • To grant access to all supported regions, save the following content in the file:

      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "codedeploy.amazonaws.com"
              ]
            },
            "Action": "sts:AssumeRole"
          }
        ]
      }
    • To grant access to only some supported regions, type the following content into the file, and remove the lines for the regions to which you want to exclude access:

      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "codedeploy.us-east-1.amazonaws.com", 
                "codedeploy.us-west-1.amazonaws.com",
                "codedeploy.us-west-2.amazonaws.com",
                "codedeploy.eu-west-1.amazonaws.com",
                "codedeploy.eu-central-1.amazonaws.com",
                "codedeploy.ap-northeast-1.amazonaws.com",
                "codedeploy.ap-southeast-1.amazonaws.com",
                "codedeploy.ap-southeast-2.amazonaws.com",
                "codedeploy.sa-east-1.amazonaws.com"
              ]
            },
            "Action": "sts:AssumeRole"
          }
        ]
      }

      Note

      Do not use a comma in the last line of the policy.

  2. From the same directory, call the create-role command to create a service role named CodeDeployServiceRole based on the information in the text file you just created:

    aws iam create-role --role-name CodeDeployServiceRole --assume-role-policy-document file://CodeDeployDemo-Trust.json

    In the command's output, note the value of the Arn entry under the Role object. You will need it later when you create deployment groups. If you forget the value, follow the instructions in Get the Service Role ARN (CLI) .

  3. Call the attach-role-policy command to give the service role named CodeDeployServiceRole the permissions based on the IAM managed policy named AWSCodeDeployRole:

    aws iam attach-role-policy --role-name CodeDeployServiceRole --policy-arn arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole

For more information about creating service roles, see Creating a Role for an AWS Service in the IAM User Guide.

Get the Service Role ARN (Console)

To use the IAM console to get the ARN of the service role:

  1. Sign in to the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles.

  3. In the Search box, type CodeDeployServiceRole, and then press Enter.

  4. Choose CodeDeployServiceRole.

  5. Note the value of the Role ARN field.

Get the Service Role ARN (CLI)

To use the AWS CLI to get the ARN of the service role, call the get-role command against the service role named CodeDeployServiceRole:

aws iam get-role --role-name CodeDeployServiceRole --query "Role.Arn" --output text

The value returned is the ARN of the service role.