Amazon ECS CodeDeploy IAM Role
Before you can use the CodeDeploy blue/green deployment type with Amazon ECS, the CodeDeploy service
needs permissions to update your Amazon ECS service on your behalf. These permissions are
provided by the CodeDeploy IAM role (ecsCodeDeployRole).
There are two managed policies provided. The AWSCodeDeployRoleForECS policy,
shown below, gives CodeDeploy permission to update any resource using the associated action. The
AWSCodeDeployRoleForECSLimited policy, shown below, gives CodeDeploy more
limited permissions.
- AWSCodeDeployRoleForECS
-
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecs:DescribeServices",
"ecs:CreateTaskSet",
"ecs:UpdateServicePrimaryTaskSet",
"ecs:DeleteTaskSet",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:ModifyRule",
"lambda:InvokeFunction",
"cloudwatch:DescribeAlarms",
"sns:Publish",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": ["iam:PassRole"],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:PassedToService": ["ecs-tasks.amazonaws.com"]
}
}
}
]
}
- AWSCodeDeployRoleForECSLimited
-
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecs:DescribeServices",
"ecs:CreateTaskSet",
"ecs:UpdateServicePrimaryTaskSet",
"ecs:DeleteTaskSet",
"cloudwatch:DescribeAlarms"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": ["sns:Publish"],
"Resource": "arn:aws:sns:*:*:CodeDeployTopic_*",
"Effect": "Allow"
},
{
"Action": [
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:ModifyRule"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": ["lambda:InvokeFunction"],
"Resource": "arn:aws:lambda:*:*:function:CodeDeployHook_*",
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "*",
"Condition": {
"StringEquals": {"s3:ExistingObjectTag/UseWithCodeDeploy": "true"}
},
"Effect": "Allow"
},
{
"Action": ["iam:PassRole"],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:role/ecsTaskExecutionRole",
"arn:aws:iam::*:role/ECSTaskExecution*"
],
"Condition": {
"StringLike": {
"iam:PassedToService": ["ecs-tasks.amazonaws.com"]
}
}
}
]
}
Creating the CodeDeploy
AWSCodeDeployRoleForECS role
You can use the following procedures to create a CodeDeploy role for Amazon ECS
- AWS Management Console
-
To create the service role for CodeDeploy (IAM console)
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
-
In the navigation pane of the IAM console, choose Roles, and
then choose Create role.
-
For Trusted entity type, choose AWS service.
-
For Service or use case, choose CodeDeploy, and then choose the CodeDeploy - ECS use case.
-
Choose Next.
-
In the Attach permissions policy section, ensure that the AWSCodeDeployRoleForECS policy is selected.
-
Choose Next.
-
For Role name, enter ecsCodeDeployRole.
-
Review the role, and then choose Create role.
- AWS CLI
-
Replace all user input with your own
information.
-
Create a file named codedeploy-trust-policy.json that
contains the trust policy to use for the CodeDeploy IAM role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": ["codedeploy.amazonaws.com"]
},
"Action": "sts:AssumeRole"
}
]
}
-
Create an IAM role named ecsCodedeployRole using
the trust policy created in the previous step.
aws iam create-role \
--role-name ecsCodedeployRole \
--assume-role-policy-document file://codedeploy-trust-policy.json
-
Attach the AWSCodeDeployRoleForECS or
AWSCodeDeployRoleForECSLimited managed policy to
the ecsTaskRole role.
aws iam attach-role-policy \
--role-name ecsCodedeployRole \
--policy-arn arn:aws::iam::aws:policy/AWSCodeDeployRoleForECS
aws iam attach-role-policy \
--role-name ecsCodedeployRole \
--policy-arn arn:aws::iam::aws:policy/AWSCodeDeployRoleForECSLimited
Adding permissions for blue/green
deployments
If the tasks in your Amazon ECS service using the blue/green deployment type require
the use of the task execution role or a task role override, then you must add the
iam:PassRole permission for each task execution role or task role
override to the CodeDeploy IAM role as a policy. For more information, see Amazon ECS task execution IAM role and
Amazon ECS task role.
Use the following procedure to create the policy
- AWS Management Console
-
To use the JSON policy editor to create a policy
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
-
In the navigation pane on the left, choose Policies.
If this is your first time choosing Policies, the
Welcome to Managed Policies page appears. Choose Get
Started.
-
At the top of the page, choose Create policy.
-
In the Policy editor section, choose the
JSON option.
-
Enter the following JSON policy document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": ["arn:aws:iam::<aws_account_id>:role/<ecsCodeDeployRole>"]
}
]
}
-
Choose Next.
You can switch between the Visual and JSON
editor options anytime. However, if you make changes or choose Next
in the Visual editor, IAM might restructure your policy to
optimize it for the visual editor. For more information, see Policy restructuring
in the IAM User Guide.
-
On the Review and create page, enter a Policy
name and a Description (optional) for the policy that
you are creating. Review Permissions defined in this policy to see
the permissions that are granted by your policy.
-
Choose Create policy to save your new policy.
After you create the policy, attach the policy to the CodeDeploy role. For
information about how to attach the policy to the role, see Modifying a role permissions policy (console) in the
AWS Identity and Access Management User Guide.
- AWS CLI
-
Replace all user input with your own
information.
-
Create a file called blue-green-iam-passrole.json
with the following content.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": ["arn:aws:iam::<aws_account_id>:role/<ecsCodeDeployRole>"]
}
]
}
-
Use the following command to create the IAM policy using the
JSON policy document file.
aws iam create-policy \
--policy-name cdTaskExecutionPolicy \
--policy-document file://blue-green-iam-passrole.json
-
Retrieve the ARN of the IAM policy you created using the
following command.
aws iam list-policies --scope Local --query 'Policies[?PolicyName==`cdTaskExecutionPolicy`].Arn'
-
Use the following command to attach the policy to the CodeDeploy
IAM role.
aws iam attach-role-policy \
--role-name ecsCodedeployRole \
--policy-arn arn:aws:iam:111122223333:aws:policy/cdTaskExecutionPolicy
