Amazon ECS CodeDeploy IAM Role
Before you can use the CodeDeploy blue/green deployment type with Amazon ECS, the CodeDeploy service
needs permissions to update your Amazon ECS service on your behalf. These permissions are
provided by the CodeDeploy IAM role (ecsCodeDeployRole
).
Note
Users also require permissions to use CodeDeploy; these permissions are described in Blue/green deployment required IAM permissions.
There are two managed policies provided. The AWSCodeDeployRoleForECS
policy,
shown below, gives CodeDeploy permission to update any resource using the associated action. The
AWSCodeDeployRoleForECSLimited
policy, shown below, gives CodeDeploy more
limited permissions.
- AWSCodeDeployRoleForECS
-
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ecs:DescribeServices", "ecs:CreateTaskSet", "ecs:UpdateServicePrimaryTaskSet", "ecs:DeleteTaskSet", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:ModifyRule", "lambda:InvokeFunction", "cloudwatch:DescribeAlarms", "sns:Publish", "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "*", "Effect": "Allow" }, { "Action": ["iam:PassRole"], "Effect": "Allow", "Resource": "*", "Condition": { "StringLike": { "iam:PassedToService": ["ecs-tasks.amazonaws.com"] } } } ] }
- AWSCodeDeployRoleForECSLimited
-
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ecs:DescribeServices", "ecs:CreateTaskSet", "ecs:UpdateServicePrimaryTaskSet", "ecs:DeleteTaskSet", "cloudwatch:DescribeAlarms" ], "Resource": "*", "Effect": "Allow" }, { "Action": ["sns:Publish"], "Resource": "arn:aws:sns:*:*:CodeDeployTopic_*", "Effect": "Allow" }, { "Action": [ "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:ModifyRule" ], "Resource": "*", "Effect": "Allow" }, { "Action": ["lambda:InvokeFunction"], "Resource": "arn:aws:lambda:*:*:function:CodeDeployHook_*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "*", "Condition": { "StringEquals": {"s3:ExistingObjectTag/UseWithCodeDeploy": "true"} }, "Effect": "Allow" }, { "Action": ["iam:PassRole"], "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/ecsTaskExecutionRole", "arn:aws:iam::*:role/ECSTaskExecution*" ], "Condition": { "StringLike": { "iam:PassedToService": ["ecs-tasks.amazonaws.com"] } } } ] }
Creating the CodeDeploy
AWSCodeDeployRoleForECS
role
You can use the following procedures to create a CodeDeploy role for Amazon ECS
- AWS Management Console
-
To create an IAM role for CodeDeploy
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Roles, Create role.
-
For Select type of trusted entity section, choose AWS service.
-
For Choose the service that will use this role, choose CodeDeploy.
-
For Select your use case, choose CodeDeploy - ECS, Next.
-
In the Add permissions section, do the following
-
Ensure that the AWSCodeDeployRoleForECS policy is selected.
-
Under Set permissions boundary - optional, choose Create role without a permissions boundary.
-
Choose Next.
-
-
Under Name, review, and create, do the following:
-
For Role name, enter
ecsCodeDeployRole
, and enter an optional description. -
For Add tags (optional), enter any custom tags to associate with the policy .
-
-
Choose Create role.
- AWS CLI
-
Replace all
user input
with your own information.-
Create a file named
codedeploy-trust-policy.json
that contains the trust policy to use for the CodeDeploy IAM role.{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": ["codedeploy.amazonaws.com"] }, "Action": "sts:AssumeRole" } ] }
-
Create an IAM role named
ecsCodedeployRole
using the trust policy created in the previous step.aws iam create-role \ --role-name
ecsCodedeployRole
\ --assume-role-policy-document file://codedeploy-trust-policy.json
-
Attach the
AWSCodeDeployRoleForECS
orAWSCodeDeployRoleForECSLimited
managed policy to theecsTaskRole
role.aws iam attach-role-policy \ --role-name
ecsCodedeployRole
\ --policy-arn arn:aws::iam::aws:policy/AWSCodeDeployRoleForECSaws iam attach-role-policy \ --role-name
ecsCodedeployRole
\ --policy-arn arn:aws::iam::aws:policy/AWSCodeDeployRoleForECSLimited
-
Adding permissions for blue/green deployments
If the tasks in your Amazon ECS service using the blue/green deployment type require
the use of the task execution role or a task role override, then you must add the
iam:PassRole
permission for each task execution role or task role
override to the CodeDeploy IAM role as a policy. For more information, see Amazon ECS task execution IAM role and
Task IAM role.
Use the following procedure to create the policy
- AWS Management Console
-
To use the JSON policy editor to create a policy
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane on the left, choose Policies.
If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.
-
At the top of the page, choose Create policy.
-
In the Policy editor section, choose the JSON option.
-
Enter the following JSON policy document:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": ["arn:aws:iam::<aws_account_id>:role/<ecsTaskExecutionRole_or_TaskRole_name>"] } ] }
-
Choose Next.
Note
You can switch between the Visual and JSON editor options anytime. However, if you make changes or choose Next in the Visual editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see Policy restructuring in the IAM User Guide.
-
On the Review and create page, enter a Policy name and a Description (optional) for the policy that you are creating. Review Permissions defined in this policy to see the permissions that are granted by your policy.
-
Choose Create policy to save your new policy.
After you create the policy, attach the policy to the CodeDeploy role. For information about how to attach the policy to the role, see Modifying a role permissions policy (console) in the AWS Identity and Access Management User Guide.
- AWS CLI
-
Replace all
user input
with your own information.-
Create a file called
blue-green-iam-passrole.json
with the following content.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": ["arn:aws:iam::<aws_account_id>:role/<ecsTaskExecutionRole_or_TaskRole_name>"] } ] }
-
Use the following command to create the IAM policy using the JSON policy document file.
aws iam create-policy \ --policy-name
cdTaskExecutionPolicy
\ --policy-document file://blue-green-iam-passrole.json -
Retrieve the ARN of the IAM policy you created using the following command.
aws iam list-policies --scope Local --query 'Policies[?PolicyName==`
cdTaskExecutionPolicy
`].Arn' -
Use the following command to attach the policy to the CodeDeploy IAM role.
aws iam attach-role-policy \ --role-name
ecsCodedeployRole
\ --policy-arn arn:aws:iam:111122223333:aws:policy/cdTaskExecutionPolicy
-