IAM roles for Amazon CodeCatalyst access to AWS resources - Amazon CodeCatalyst

Amazon CodeCatalyst is in preview release and is subject to change.

IAM roles for Amazon CodeCatalyst access to AWS resources

To access resources in an AWS account from your CodeCatalyst projects and workflows, you must first grant permission for CodeCatalyst to access those resources on your behalf. To do so, you must create a service role in a connected AWS account that CodeCatalyst can assume on behalf of users and projects in the space. You can either choose to create and use the CodeCatalystPreviewDevelopmentAdministrator service role, or you can create customized service roles and configure these IAM policies and roles manually. As a best practice, assign these roles the least amount of permissions necessary.

To access AWS resources on your behalf, connect your CodeCatalyst account to your AWS account . Use the following steps to create your roles manually, and then associate the roles when you connect your account.

To learn about all of the elements that you use in a JSON policy, see IAM JSON Policy Elements Reference in the IAM User Guide.

Understanding the CodeCatalystPreviewDevelopmentAdministrator service role

You can add an IAM role for your space that CodeCatalyst can use to create and access resources in a connected AWS account. This is called a service role.The simplest way to create a service role is to add one when you create the space and to choose the CodeCatalystPreviewDevelopmentAdministrator option for that role. This not only creates the policy and the role, but it also creates the trust policy that allows CodeCatalyst to assume the role on behalf of users in projects in the space. The service role is scoped to the space, not to individual projects. To create this role, see Creating the CodeCatalystPreviewDevelopmentAdministrator role for your account and space.

The policy attached to the CodeCatalystPreviewDevelopmentAdministrator role is designed to work with projects created with blueprints in the space. It supports users in those projects to develop, build, test, and deploy code using resources in the connected AWS account. You can choose to modify the policy attached to the role to allow additional actions, or you can scope down the actions allowed by the policy. For more information, see Creating a role for an AWS service.

The policy attached to the CodeCatalystPreviewDevelopmentAdministrator allows the following actions:

{ Version:"2012-10-17", Statement:[ { Action:[ "cloudformation:*", "lambda:*", "apigateway:*", "ecr:*", "ecs:*", "ssm:*", "codedeploy:*", "s3:*", "iam:DeleteRole", "iam:UpdateRole", "iam:Get*", "iam:TagRole", "iam:PassRole", "iam:CreateRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:PutRolePolicy", "iam:CreatePolicy", "iam:DeletePolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:PutRolePermissionsBoundary", "iam:DeleteRolePermissionsBoundary", "sts:AssumeRole", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:ModifyRule", "cloudwatch:DescribeAlarms", "sns:Publish", "sns:ListTopics" ], Resource:"*", Effect:"Allow" } ] }

The trust role for the policy allows CodeCatalyst to assume the role.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "codecatalyst.amazonaws.com", "codecatalyst-runner.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }

Creating the CodeCatalystPreviewDevelopmentAdministrator role for your account and space

Follow these steps to create the CodeCatalystPreviewDevelopmentAdministrator role that will be used for workflows in your space. For each account that you want to have IAM roles for use in projects, to your space, you must add a role such as the developer role.

Before you begin, you must have administrative privileges for your AWS account or be able to work with your administrator. For more information about how AWS accounts and IAM roles are used in CodeCatalyst, see Working with AWS accounts in Amazon CodeCatalyst.

To create and add the CodeCatalyst CodeCatalystPreviewDevelopmentAdministrator
  1. Navigate to the summary page for your space. Choose the AWS accounts tab.

  2. Choose the link for the AWS account where you want to create the role. The AWS account details page displays.

  3. Choose Manage roles from AWS Management Console.

    The Add IAM role to Amazon CodeCatalyst space page opens in the AWS Management Console. This is the Amazon CodeCatalyst Spaces page. You might need to log in to access the page.

  4. Choose Create CodeCatalyst development administrator role in IAM. This option creates a service role that contains the permissions policy and trust policy for the preview development role. The role will have a name CodeCatalystPreviewDevelopmentAdministrator with a unique identifier appended. For more information about the role and role policy, see Understanding the CodeCatalystPreviewDevelopmentAdministrator service role.

  5. Choose Create development role.

  6. On the connection page, under IAM roles available to CodeCatalyst, view the CodeCatalystPreviewDevelopmentAdministrator role in the list of IAM roles added to your account.

  7. To return to your space, choose Go to Amazon CodeCatalyst.

Configuring IAM roles for workflow actions in CodeCatalyst

This section details IAM roles and policies that you can create to use with your CodeCatalyst account. For instructions to create example roles, see Creating roles manually for workflow actions. After you create your IAM role, copy the role ARN to add the IAM role to your account connection and associate it with your project environment. To learn more, see Adding the CodeCatalystPreviewDevelopmentAdministrator role or existing IAM roles to account connections.

CodeCatalyst build role for Amazon S3 access

For CodeCatalyst workflow build actions, you can use the default CodeCatalystPreviewDevelopmentAdministrator service role, or you can create an IAM role named CodeCatalystBuildRoleforS3Access. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on AWS CloudFormation resources in your AWS account.

This role gives permissions to do the following:

  • Write to Amazon S3 buckets.

  • Support building of resources with AWS CloudFormation. This requires Amazon S3 access.

This role uses the following policy:

{ "Version": "2012-10-17", "Statement": [{ "Action": [ "s3:PutObject", "iam:PassRole" ], "Resource": "resource_ARN", "Effect": "Allow" }] }
Note

The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.

"Resource": "*"

CodeCatalyst build role for AWS CloudFormation

For CodeCatalyst workflow build actions, you can use the default CodeCatalystPreviewDevelopmentAdministrator service role, or you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on AWS CloudFormation resources in your AWS account.

This role gives permissions to do the following:

  • Support building of resources with AWS CloudFormation. This is required along with the CodeCatalyst build role for Amazon S3 access and the CodeCatalyst deploy role for AWS CloudFormation.

The following AWS managed policies should be attached to this role:

  • AWSCloudFormationFullAccess

  • IAMFullAccess

  • AmazonS3FullAccess

  • AmazonAPIGatewayAdministrator

  • AWSLambdaFullAccess

CodeCatalyst build role for CDK

For CodeCatalyst workflows that run CDK build actions, such as Modern three-tier web application, you can use the default CodeCatalystPreviewDevelopmentAdministrator service role, or you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to bootstrap and run CDK build commands for AWS CloudFormation resources in your AWS account.

This role gives permissions to do the following:

  • Write to Amazon S3 buckets.

  • Support building of CDK constructs and AWS CloudFormation resource stacks. This requires access to Amazon S3 for artifact storage, Amazon ECR for image repository support, and SSM for system governance and monitoring for virtual instances.

This role uses the following policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:*", "ecr:*", "ssm:*", "s3:*", "iam:PassRole", "iam:GetRole", "iam:CreateRole", "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "*" } ] }
Note

The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.

"Resource": "*"

CodeCatalyst deploy role for AWS CloudFormation

For CodeCatalyst workflow deploy actions that use AWS CloudFormation, you can use the default CodeCatalystPreviewDevelopmentAdministrator service role, or you can use a policy with scoped permissions that CodeCatalyst needs to run tasks on AWS CloudFormation resources in your AWS account.

This role gives permissions to do the following:

  • Allow CodeCatalyst to invoke a Λ function to perform blue/green deployment through AWS CloudFormation.

  • Allow CodeCatalyst to create and update stacks and changesets in AWS CloudFormation.

This role uses the following policy:

{"Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:Describe*", "cloudformation:UpdateStack", "cloudformation:CreateChangeSet", "cloudformation:DeleteChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:List*", "iam:PassRole" ], "Resource": "resource_ARN", "Effect": "Allow" }
Note

The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.

"Resource": "*"

CodeCatalyst deploy role for Amazon EC2

CodeCatalyst workflow deploy actions use an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Amazon EC2 resources in your AWS account. The default policy for the CodeCatalystPreviewDevelopmentAdministrator role does not include permissions for Amazon EC2 or Amazon EC2 Auto Scaling.

This role gives permissions to do the following:

  • Create Amazon EC2 deployments.

  • Read the tags on an instance or identify an Amazon EC2 instance by Auto Scaling group names.

  • Read, create, update, and delete Amazon EC2 Auto Scaling groups, lifecycle hooks, and scaling policies.

  • Publish information to Amazon SNS topics.

  • Retrieve information about CloudWatch alarms.

  • Read and update Elastic Load Balancing.

This role uses the following policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:CompleteLifecycleAction", "autoscaling:DeleteLifecycleHook", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLifecycleHooks", "autoscaling:PutLifecycleHook", "autoscaling:RecordLifecycleActionHeartbeat", "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:EnableMetricsCollection", "autoscaling:DescribePolicies", "autoscaling:DescribeScheduledActions", "autoscaling:DescribeNotificationConfigurations", "autoscaling:SuspendProcesses", "autoscaling:ResumeProcesses", "autoscaling:AttachLoadBalancers", "autoscaling:AttachLoadBalancerTargetGroups", "autoscaling:PutScalingPolicy", "autoscaling:PutScheduledUpdateGroupAction", "autoscaling:PutNotificationConfiguration", "autoscaling:PutWarmPool", "autoscaling:DescribeScalingActivities", "autoscaling:DeleteAutoScalingGroup", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:TerminateInstances", "tag:GetResources", "sns:Publish", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:DeregisterTargets" ], "Resource": "resource_ARN" } ] }
Note

The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.

"Resource": "*"

CodeCatalyst deploy role for Amazon ECS

For CodeCatalyst workflow actions, you can create an IAM role with the necessary permissions. You can use the default CodeCatalystPreviewDevelopmentAdministrator service role, or you can create an IAM role for CodeCatalyst deploy actions to use for Lambda deployments. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Amazon ECS resources in your AWS account.

This role gives permissions to do the following:

  • Initiate rolling Amazon ECS deployment on behalf of a CodeCatalyst user, in an account specified in the CodeCatalyst connection.

  • Read, update, and delete Amazon ECS task sets.

  • Update Elastic Load Balancing target groups, listeners, and rules.

  • Invoke Lambda functions.

  • Access revision files in Amazon S3 buckets.

  • Retrieve information about CloudWatch alarms.

  • Publish information to Amazon SNS topics.

This role uses the following policy:

{ "Version": "2012-10-17", "Statement": [{ "Action":[ "ecs:DescribeServices", "ecs:CreateTaskSet", "ecs:DeleteTaskSet", "ecs:ListClusters", "ecs:RegisterTaskDefinition", "ecs:UpdateServicePrimaryTaskSet", "ecs:UpdateService", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:ModifyRule", "lambda:InvokeFunction", "lambda:ListFunctions", "cloudwatch:DescribeAlarms", "sns:Publish", "sns:ListTopics", "s3:GetObject", "s3:GetObjectVersion", "codedeploy:CreateApplication", "codedeploy:CreateDeployment", "codedeploy:CreateDeploymentGroup", "codedeploy:GetApplication", "codedeploy:GetDeployment", "codedeploy:GetDeploymentGroup", "codedeploy:ListApplications", "codedeploy:ListDeploymentGroups", "codedeploy:ListDeployments", "codedeploy:StopDeployment", "codedeploy:GetDeploymentTarget", "codedeploy:ListDeploymentTargets", "codedeploy:GetDeploymentConfig", "codedeploy:GetApplicationRevision", "codedeploy:RegisterApplicationRevision", "codedeploy:BatchGetApplicationRevisions", "codedeploy:BatchGetDeploymentGroups", "codedeploy:BatchGetDeployments", "codedeploy:BatchGetApplications", "codedeploy:ListApplicationRevisions", "codedeploy:ListDeploymentConfigs", "codedeploy:ContinueDeployment" ], "Resource":"*", "Effect":"Allow" },{"Action":[ "iam:PassRole" ], "Effect":"Allow", "Resource":"*", "Condition":{"StringLike":{"iam:PassedToService":[ "ecs-tasks.amazonaws.com", "codedeploy.amazonaws.com" ] } } }] }
Note

The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.

"Resource": "*"

CodeCatalyst deploy role for Lambda

For CodeCatalyst workflow actions, you can create an IAM role with the necessary permissions. You can use the default CodeCatalystPreviewDevelopmentAdministrator service role, or or you create an IAM role for CodeCatalyst deploy actions to use for Lambda deployments. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Lambda resources in your AWS account.

This role gives permissions to do the following:

  • Read, update, and invoke Lambda functions and aliases.

  • Access revision files in Amazon S3 buckets.

  • Retrieve information about CloudWatch Events alarms.

  • Publish information to Amazon SNS topics.

This role uses the following policy:

*{* "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudwatch:DescribeAlarms", "lambda:UpdateAlias", "lambda:GetAlias", "lambda:GetProvisionedConcurrencyConfig", "sns:Publish" ], "Resource": "resource_ARN", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::/CodeDeploy/", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "", "Condition": { "StringEquals": { "s3:ExistingObjectTag/UseWithCodeDeploy": "true" } }, "Effect": "Allow" }, { "Action": [ "lambda:InvokeFunction" ], "Resource": "arn:aws:lambda:::function:CodeDeployHook_*", "Effect": "Allow" } ] }
Note

The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.

"Resource": "*"

CodeCatalyst deploy role for Lambda

For CodeCatalyst workflow actions, you can use the default CodeCatalystPreviewDevelopmentAdministrator service role, or you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Lambda resources in your AWS account.

This role gives permissions to do the following:

  • Read, update, and invoke Lambda functions and aliases.

  • Access revision files in Amazon S3 buckets.

  • Retrieve information about CloudWatch alarms.

  • Publish information to Amazon SNS topics.

This role uses the following policy:

*{* "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudwatch:DescribeAlarms", "lambda:UpdateAlias", "lambda:GetAlias", "lambda:GetProvisionedConcurrencyConfig", "sns:Publish" ], "Resource": "resource_ARN", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::/CodeDeploy/", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "", "Condition": { "StringEquals": { "s3:ExistingObjectTag/UseWithCodeDeploy": "true" } }, "Effect": "Allow" }, { "Action": [ "lambda:InvokeFunction" ], "Resource": "arn:aws:lambda:::function:CodeDeployHook_*", "Effect": "Allow" } ] }
Note

The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.

"Resource": "*"

CodeCatalyst deploy role for AWS SAM

For CodeCatalyst workflow actions, you can use the default CodeCatalystPreviewDevelopmentAdministrator service role, or you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on AWS SAM and AWS CloudFormation resources in your AWS account.

This role gives permissions to do the following:

  • Allow CodeCatalyst to invoke a Lambda function to perform deployment of serverless and AWS SAM CLI applications.

  • Allow CodeCatalyst to create and update stacks and changesets in AWS CloudFormation.

This role uses the following policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "iam:PassRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:CreateRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "cloudformation:*", "lambda:*", "apigateway:*" ], "Resource": "*" } ] }
Note

The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.

"Resource": "*"

CodeCatalyst read only role for Amazon EC2

For CodeCatalyst workflow actions, you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Amazon EC2 resources in your AWS account. The CodeCatalystPreviewDevelopmentAdministrator service role does not include permissions for Amazon EC2 or the described actions for Amazon CloudWatch.

This role gives permissions to do the following:

  • Get status of Amazon EC2 instances.

  • Get CloudWatch metrics for Amazon EC2 instances.

This role uses the following policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:Describe", "Resource": "resource_ARN" }, { "Effect": "Allow", "Action": "elasticloadbalancing:Describe", "Resource": "resource_ARN" }, { "Effect": "Allow", "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudwatch:Describe" ], "Resource": "resource_ARN" }, { "Effect": "Allow", "Action": "autoscaling:Describe", "Resource": "resource_ARN" } ] }
Note

The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.

"Resource": "*"

CodeCatalyst read only role for Amazon ECS

For CodeCatalyst workflow actions, you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Amazon ECS resources in your AWS account.

This role gives permissions to do the following:

  • Read Amazon ECS task sets.

  • Retrieve information about CloudWatch alarms.

This role uses the following policy:

*{* "Version": "2012-10-17", "Statement": [ { "Action": [ "ecs:DescribeServices", "cloudwatch:DescribeAlarms" ], "Resource": "resource_ARN", "Effect": "Allow" }, { "Action": [ "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeRules" ], "Resource": "resource_ARN", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "", "Condition": { "StringEquals": { "s3:ExistingObjectTag/UseWithCodeDeploy": "true" } }, "Effect": "Allow" }, { "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": [ "arn:aws:iam:::role/ecsTaskExecutionRole", "arn:aws:iam:::role/ECSTaskExecution" ], "Condition": { "StringLike": { "iam:PassedToService": [ "ecs-tasks.amazonaws.com" ] } } } ] }
Note

The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.

"Resource": "*"

CodeCatalyst read only role for Lambda

For CodeCatalyst workflow actions, you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Lambda resources in your AWS account.

This role gives permissions for the following:

  • Read Lambda functions and aliases.

  • Access revision files in Amazon S3 buckets.

  • Retrieve information about CloudWatch alarms.

This role uses the following policy.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudwatch:DescribeAlarms", "lambda:GetAlias", "lambda:GetProvisionedConcurrencyConfig" ], "Resource": "resource_ARN", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::/CodeDeploy/", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "", "Condition": { "StringEquals": { "s3:ExistingObjectTag/UseWithCodeDeploy": "true" } }, "Effect": "Allow" } ] }
Note

The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.

"Resource": "*"

Creating roles manually for workflow actions

CodeCatalyst workflow actions use IAM roles that you create called the build role, the deploy role, and the stack role.

Follow these steps to create these roles in IAM.

To create a deploy role
  1. Create a policy for the role, as follows:

    1. Sign in to AWS.

    2. Open the IAM console at https://console.aws.amazon.com/iam/.

    3. In the navigation pane, choose Policies.

    4. Choose Create policy.

    5. Choose the JSON tab.

    6. Delete the existing code.

    7. Paste the following code:

      { "Version": "2012-10-17", "Statement": [{ "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:Describe*", "cloudformation:UpdateStack", "cloudformation:CreateChangeSet", "cloudformation:DeleteChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:List*", "iam:PassRole" ], "Resource": "*", "Effect": "Allow" }] }
      Note

      The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.

      "Resource": "*"
    8. Choose Next: Tags.

    9. Choose Next: Review.

    10. In Name, enter:

      codecatalyst-deploy-policy
    11. Choose Create policy.

      You have now created a permissions policy.

  2. Create the deploy role, as follows:

    1. In the navigation pane, choose Roles, and then choose Create role.

    2. Choose Custom trust policy.

    3. Delete the existing custom trust policy.

    4. Add the following custom trust policy:

      { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "codecatalyst-runner.amazonaws.com", "codecatalyst.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
    5. Choose Next.

    6. In Permissions policies, search for codecatalyst-deploy-policy and select its check box.

    7. Choose Next.

    8. For Role name, enter:

      codecatalyst-deploy-role
    9. For Role description, enter:

      CodeCatalyst deploy role
    10. Choose Create role.

    You have now created a deploy role with a trust policy and permissions policy.

  3. Obtain the deploy role ARN, as follows:

    1. In the navigation pane, choose Roles.

    2. In the search box, enter the name of the role you just created (codecatalyst-deploy-role).

    3. Choose the role from the list.

      The role's Summary page appears.

    4. At the top, copy the ARN value.

    You have now created the deploy role with the appropriate permissions, and obtained its ARN.

To create a build role
  1. Create a policy for the role, as follows:

    1. Sign in to AWS.

    2. Open the IAM console at https://console.aws.amazon.com/iam/.

    3. In the navigation pane, choose Policies.

    4. Choose Create policy.

    5. Choose the JSON tab.

    6. Delete the existing code.

    7. Paste the following code:

      { "Version": "2012-10-17", "Statement": [{ "Action": [ "s3:PutObject", "iam:PassRole" ], "Resource": "*", "Effect": "Allow" }] }
      Note

      The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.

      "Resource": "*"
    8. Choose Next: Tags.

    9. Choose Next: Review.

    10. In Name, enter:

      codecatalyst-build-policy
    11. Choose Create policy.

      You have now created a permissions policy.

  2. Create the build role, as follows:

    1. In the navigation pane, choose Roles, and then choose Create role.

    2. Choose Custom trust policy.

    3. Delete the existing custom trust policy.

    4. Add the following custom trust policy:

      { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "codecatalyst-runner.amazonaws.com", "codecatalyst.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
    5. Choose Next.

    6. In Permissions policies, search for codecatalyst-build-policy and select its check box.

    7. Choose Next.

    8. For Role name, enter:

      codecatalyst-build-role
    9. For Role description, enter:

      CodeCatalyst build role
    10. Choose Create role.

    You have now created a build role with a trust policy and permissions policy.

  3. Obtain the build role ARN, as follows:

    1. In the navigation pane, choose Roles.

    2. In the search box, enter the name of the role you just created (codecatalyst-build-role).

    3. Choose the role from the list.

      The role's Summary page appears.

    4. At the top, copy the ARN value.

    You have now created the build role with the appropriate permissions, and obtained its ARN.

To create a stack role
Note

You don't have to create a stack role, although doing so is recommended for security reasons. If you don't create the stack role, you'll need to add the permissions policies described further on in this procedure to the deploy role.

  1. Sign in to AWS using the account where you want to deploy your stack.

  2. Open the IAM console at https://console.aws.amazon.com/iam/.

  3. In the navigation pane, choose Roles. and then choose Create role.

  4. At the top, choose AWS service.

  5. From the list of services, choose CloudFormation.

  6. Choose Next: Permissions.

  7. In the search box, add any policies that are required to access the resources in your stack. For example, if your stack includes an AWS Lambda function, you need to add a policy that grants access to Lambda.

    Tip

    If you're unsure which policies to add, you can omit them for now. When you test the action, if you don't have the right permissions, AWS CloudFormation generates errors that show which permissions you need to add.

  8. Choose Next: Tags.

  9. Choose Next: Review.

  10. For Role name, enter:

    codecatalyst-stack-role
  11. Choose Create role.

  12. To obtain the stack role's ARN, do the following:

    1. In the navigation pane, choose Roles.

    2. In the search box, enter the name of the role you just created (codecatalyst-stack-role).

    3. Choose the role from the list.

    4. On the Summary page, copy the Role ARN value.

Using AWS CloudFormation to create policies and roles in IAM

You can choose to create and use AWS CloudFormation templates to create the policies and roles you need to access resources in an AWS account for your CodeCatalyst projects and workflows. AWS CloudFormation is a service that helps you model and set up your AWS resources so that you can spend less time managing those resources and more time focusing on your applications that run on AWS. If you intend to create roles in multiple AWS accounts, creating a template can help you perform this task more quickly.

The following example template creates a deploy action role and policy.

Parameters: CodeCatalystAccountId: Type: String Description: Account ID from the connections page ExternalId: Type: String Description: External ID from the connections page Resources: CrossAccountRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: AWS: - !Ref CodeCatalystAccountId Action: - 'sts:AssumeRole' Condition: StringEquals: sts:ExternalId: !Ref ExternalId Path: / Policies: - PolicyName: CodeCatalyst-CloudFormation-action-policy PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - 'cloudformation:CreateStack' - 'cloudformation:DeleteStack' - 'cloudformation:Describe*' - 'cloudformation:UpdateStack' - 'cloudformation:CreateChangeSet' - 'cloudformation:DeleteChangeSet' - 'cloudformation:ExecuteChangeSet' - 'cloudformation:SetStackPolicy' - 'cloudformation:ValidateTemplate' - 'cloudformation:List*' - 'iam:PassRole' Resource: '*'

Creating the role manually for the web application blueprint

The CodeCatalyst web application blueprint uses IAM roles that you create called the build role for CDK, the deploy role, and the stack role.

Follow these steps to create the role in IAM.

To create a build role
  1. Create a policy for the role, as follows:

    1. Sign in to AWS.

    2. Open the IAM console at https://console.aws.amazon.com/iam/.

    3. In the navigation pane, choose Policies.

    4. Choose Create Policy.

    5. Choose the JSON tab.

    6. Delete the existing code.

    7. Paste the following code:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:*", "ecr:*", "ssm:*", "s3:*", "iam:PassRole", "iam:GetRole", "iam:CreateRole", "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "*" } ] }
      Note

      The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.

      "Resource": "*"
    8. Choose Next: Tags.

    9. Choose Next: Review.

    10. In Name, enter:

      codecatalyst-webapp-build-policy
    11. Choose Create policy.

      You have now created a permissions policy.

  2. Create the build role, as follows:

    1. In the navigation pane, choose Roles, and then choose Create role.

    2. Choose Custom trust policy.

    3. Delete the existing custom trust policy.

    4. Add the following custom trust policy:

      { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "codecatalyst-runner.amazonaws.com", "codecatalyst.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
    5. Choose Next.

    6. Attach the permissions policy to the build role. On the Add permissions page, in the Permissions policies section, search for codecatalyst-webapp-build-policy and select its check box.

    7. Choose Next.

    8. For Role name, enter:

      codecatalyst-webapp-build-role
    9. For Role description, enter:

      CodeCatalyst Web app build role
    10. Choose Create role.

    You have now created a build role with a trust policy and permissions policy.

  3. Attach the permissions policy to the build role, as follows:

    1. In the navigation pane, choose Roles, and then search for codecatalyst-webapp-build-role.

    2. Choose codecatalyst-webapp-build-role to display its details.

    3. In the Permissions tab, choose Add permissions, and then choose Attach policies.

    4. Search for codecatalyst-webapp-build-policy, select its check box, and then choose Attach policies.

      You have now attached the permissions policy to the build role. The build role now has two policies: a permissions policy and a trust policy.

  4. Obtain the build role ARN, as follows:

    1. In the navigation pane, choose Roles.

    2. In the search box, enter the name of the role you just created (codecatalyst-webapp-build-role).

    3. Choose the role from the list.

      The role's Summary page appears.

    4. At the top, copy the ARN value.

    You have now created the build role with the appropriate permissions, and obtained its ARN.

Creating roles manually for the SAM blueprint

The CodeCatalyst SAM blueprint uses IAM roles that you create called the build role for CloudFormation and the deploy role for SAM.

Follow these steps to create the roles in IAM.

To create a build role for CloudFormation
  1. Create a policy for the role, as follows:

    1. Sign in to AWS.

    2. Open the IAM console at https://console.aws.amazon.com/iam/.

    3. In the navigation pane, choose Policies.

    4. Choose Create Policy.

    5. Choose the JSON tab.

    6. Delete the existing code.

    7. Paste the following code:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*", "cloudformation:*" ], "Resource": "*" } ] }
      Note

      The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.

      "Resource": "*"
    8. Choose Next: Tags.

    9. Choose Next: Review.

    10. In Name, enter:

      codecatalyst-SAM-build-policy
    11. Choose Create policy.

      You have now created a permissions policy.

  2. Create the build role, as follows:

    1. In the navigation pane, choose Roles, and then choose Create role.

    2. Choose Custom trust policy.

    3. Delete the existing custom trust policy.

    4. Add the following custom trust policy:

      { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "codecatalyst-runner.amazonaws.com", "codecatalyst.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
    5. Choose Next.

    6. Attach the permissions policy to the build role. On the Add permissions page, in the Permissions policies section, search for codecatalyst-SAM-build-policy and select its check box.

    7. Choose Next.

    8. For Role name, enter:

      codecatalyst-SAM-build-role
    9. For Role description, enter:

      CodeCatalyst SAM build role
    10. Choose Create role.

    You have now created a build role with a trust policy and permissions policy.

  3. Attach the permissions policy to the build role, as follows:

    1. In the navigation pane, choose Roles, and then search for codecatalyst-SAM-build-role.

    2. Choose codecatalyst-SAM-build-role to display its details.

    3. In the Permissions tab, choose Add permissions, and then choose Attach policies.

    4. Search for codecatalyst-SAM-build-policy, select its check box, and then choose Attach policies.

      You have now attached the permissions policy to the build role. The build role now has two policies: a permissions policy and a trust policy.

  4. Obtain the build role ARN, as follows:

    1. In the navigation pane, choose Roles.

    2. In the search box, enter the name of the role you just created (codecatalyst-SAM-build-role).

    3. Choose the role from the list.

      The role's Summary page appears.

    4. At the top, copy the ARN value.

    You have now created the build role with the appropriate permissions, and obtained its ARN.

To create a deploy role for SAM
  1. Create a policy for the role, as follows:

    1. Sign in to AWS.

    2. Open the IAM console at https://console.aws.amazon.com/iam/.

    3. In the navigation pane, choose Policies.

    4. Choose Create Policy.

    5. Choose the JSON tab.

    6. Delete the existing code.

    7. Paste the following code:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "iam:PassRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:CreateRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "cloudformation:*", "lambda:*", "apigateway:*" ], "Resource": "*" } ] }
      Note

      The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.

      "Resource": "*"
    8. Choose Next: Tags.

    9. Choose Next: Review.

    10. In Name, enter:

      codecatalyst-SAM-deploy-policy
    11. Choose Create policy.

      You have now created a permissions policy.

  2. Create the build role, as follows:

    1. In the navigation pane, choose Roles, and then choose Create role.

    2. Choose Custom trust policy.

    3. Delete the existing custom trust policy.

    4. Add the following custom trust policy:

      { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "codecatalyst-runner.amazonaws.com", "codecatalyst.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
    5. Choose Next.

    6. Attach the permissions policy to the build role. On the Add permissions page, in the Permissions policies section, search for codecatalyst-SAM-deploy-policy and select its check box.

    7. Choose Next.

    8. For Role name, enter:

      codecatalyst-SAM-deploy-role
    9. For Role description, enter:

      CodeCatalyst SAM deploy role
    10. Choose Create role.

    You have now created a build role with a trust policy and permissions policy.

  3. Attach the permissions policy to the build role, as follows:

    1. In the navigation pane, choose Roles, and then search for codecatalyst-SAM-deploy-role.

    2. Choose codecatalyst-SAM-deploy-role to display its details.

    3. In the Permissions tab, choose Add permissions, and then choose Attach policies.

    4. Search for codecatalyst-SAM-deploy-policy, select its check box, and then choose Attach policies.

      You have now attached the permissions policy to the build role. The build role now has two policies: a permissions policy and a trust policy.

  4. Obtain the build role ARN, as follows:

    1. In the navigation pane, choose Roles.

    2. In the search box, enter the name of the role you just created (codecatalyst-SAM-deploy-role).

    3. Choose the role from the list.

      The role's Summary page appears.

    4. At the top, copy the ARN value.

    You have now created the build role with the appropriate permissions, and obtained its ARN.