Grant access to project AWS resources with IAM roles
CodeCatalyst can access AWS resources by connecting your AWS account to a CodeCatalyst space. You can then create the following service roles and associate them when you connect your account.
For more information about the elements that you use in a JSON policy, see IAM JSON Policy Elements Reference in the IAM User Guide.
-
To access resources in an AWS account for your CodeCatalyst projects and workflows, you must first grant permission for CodeCatalyst to access those resources on your behalf. To do so, you must create a service role in a connected AWS account that CodeCatalyst can assume on behalf of users and projects in the space. You can either choose to create and use the CodeCatalystWorkflowDevelopmentRole-
spaceNameservice role, or you can create customized service roles and configure these IAM policies and roles manually. As a best practice, assign these roles the least amount of permissions necessary.Note
For customized service roles, the CodeCatalyst service principal is required. For more information about the CodeCatalyst service principal and trust model, see Understanding the CodeCatalyst trust model.
-
To manage support for a space through the connected AWS account, you can choose to create and use the AWSRoleForCodeCatalystSupport service role that allows CodeCatalyst users to access support. For more information about support for a CodeCatalyst space, see AWS Support for Amazon CodeCatalyst.
Understanding the CodeCatalystWorkflowDevelopmentRole-spaceName service role
You can add an IAM role for your space that CodeCatalyst can use to create and access
resources in a connected AWS account. This is called a service
role. The simplest way to create a service role is to add one when you create the
space and to choose the CodeCatalystWorkflowDevelopmentRole-spaceName option for that role. This not only creates the service
role with the AdministratorAccess attached, but it also creates the trust policy
that allows CodeCatalyst to assume the role on behalf of users in projects in the space. The
service role is scoped to the space, not to individual projects. To create this role, see
Creating the CodeCatalystWorkflowDevelopmentRole-spaceName role for your account
and space.
You can only create one role for each space in each account.
Note
This role is only recommended for use with development accounts and uses the
AdministratorAccess AWS managed policy, giving it full access to create new
policies and resources in this AWS account.
The policy attached to the CodeCatalystWorkflowDevelopmentRole-spaceName role is designed to work with projects created with
blueprints in the space. It allows users in those projects to develop, build, test, and
deploy code using resources in the connected AWS account. For more information, see Creating a
role for an AWS service.
The policy attached to the CodeCatalystWorkflowDevelopmentRole-spaceName role is the AdministratorAccess managed
policy in AWS. This is a policy that grants full access to all AWS actions and resources.
To view the JSON policy document in the IAM console, see AdministratorAccess
The following trust policy allows CodeCatalyst to assume the CodeCatalystWorkflowDevelopmentRole-spaceName role. For more
information about the CodeCatalyst trust model, see Understanding the CodeCatalyst trust model.
"Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "codecatalyst-runner.amazonaws.com", "codecatalyst.amazonaws.com" ] }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:codecatalyst:::space/spaceId/project/*" } } } ]
Creating the CodeCatalystWorkflowDevelopmentRole-spaceName role for your account
and space
Follow these steps to create the CodeCatalystWorkflowDevelopmentRole- role that will be used for workflows in
your space. For each account that you want to have IAM roles for use in projects, to
your space, you must add a role such as the developer role. spaceName
Before you begin, you must have administrative privileges for your AWS account or be able to work with your administrator. For more information about how AWS accounts and IAM roles are used in CodeCatalyst, see Allowing access to AWS resources with connected AWS accounts.
To create and add the CodeCatalyst CodeCatalystWorkflowDevelopmentRole-spaceName
-
Before you start in the CodeCatalyst console, open the AWS Management Console, and then make sure you are logged in with the same AWS account for your space.
Open the CodeCatalyst console at https://codecatalyst.aws/
. -
Navigate to your CodeCatalyst space. Choose Settings, and then choose AWS accounts.
-
Choose the link for the AWS account where you want to create the role. The AWS account details page displays.
-
Choose Manage roles from AWS Management Console.
The Add IAM role to Amazon CodeCatalyst space page opens in the AWS Management Console. This is the Amazon CodeCatalyst spaces page. You might need to log in to access the page.
-
Choose Create CodeCatalyst development administrator role in IAM. This option creates a service role that contains the permissions policy and trust policy for the development role. The role will have a name
CodeCatalystWorkflowDevelopmentRole-. For more information about the role and role policy, see Understanding the CodeCatalystWorkflowDevelopmentRole-spaceName service role.spaceNameNote
This role is only recommended for use with developer accounts and uses the
AdministratorAccessAWS managed policy, giving it full access to create new policies and resources in this AWS account. -
Choose Create development role.
-
On the connections page, under IAM roles available to CodeCatalyst, view the
CodeCatalystWorkflowDevelopmentRole-role in the list of IAM roles added to your account.spaceName -
To return to your space, choose Go to Amazon CodeCatalyst.
Understanding the AWSRoleForCodeCatalystSupport service role
You can add an IAM role for your space that CodeCatalyst users in a space can use to
create and access support cases. This is called a service
role for support.The simplest way to create a service role for support is to add one
when you create the space and to choose the AWSRoleForCodeCatalystSupport option for that
role. This not only creates the policy and the role, but it also creates the trust policy that
allows CodeCatalyst to assume the role on behalf of users in projects in the space. The service
role is scoped to the space, not to individual projects. To create this role, see Creating the AWSRoleForCodeCatalystSupport role for your
account and space.
The policy attached to the AWSRoleForCodeCatalystSupport role is managed policy that provides
access to support permissions. For more information, see AWS managed policy: AmazonCodeCatalystSupportAccess.
The trust role for the policy allows CodeCatalyst to assume the role.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "codecatalyst.amazonaws.com", "codecatalyst-runner.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
Creating the AWSRoleForCodeCatalystSupport role for your account and space
Follow these steps to create the AWSRoleForCodeCatalystSupport role that will be used for
support cases in your space. The role must be added to the designated billing account for
the space.
Before you begin, you must have administrative privileges for your AWS account or be able to work with your administrator. For more information about how AWS accounts and IAM roles are used in CodeCatalyst, see Allowing access to AWS resources with connected AWS accounts.
To create and add the CodeCatalyst AWSRoleForCodeCatalystSupport
-
Before you start in the CodeCatalyst console, open the AWS Management Console, and then make sure you are logged in with the same AWS account for your space.
-
Navigate to your CodeCatalyst space. Choose Settings, and then choose AWS accounts.
-
Choose the link for the AWS account where you want to create the role. The AWS account details page displays.
-
Choose Manage roles from AWS Management Console.
The Add IAM role to Amazon CodeCatalyst space page opens in the AWS Management Console. This is the Amazon CodeCatalyst Spaces page. You might need to sign in to access the page.
-
Under CodeCatalyst space details, choose Add CodeCatalyst Support role. This option creates a service role that contains the permissions policy and trust policy for the preview development role. The role will have a name AWSRoleForCodeCatalystSupport with a unique identifier appended. For more information about the role and role policy, see Understanding the AWSRoleForCodeCatalystSupport service role.
-
On the Add role for CodeCatalyst Support page, leave the default selected, and then choose Create role.
-
Under IAM roles available to CodeCatalyst, view the
CodeCatalystWorkflowDevelopmentRole-role in the list of IAM roles added to your account.spaceName -
To return to your space, choose Go to Amazon CodeCatalyst.
Configuring IAM roles for workflow actions in CodeCatalyst
This section details IAM roles and policies that you can create to use with your CodeCatalyst account. For instructions to create example roles, see Creating roles manually for workflow actions. After you create your IAM role, copy the role ARN to add the IAM role to your account connection and associate it with your project environment. To learn more, see Adding IAM roles to account connections.
CodeCatalyst build role for Amazon S3 access
For CodeCatalyst workflow build actions, you can use the default CodeCatalystWorkflowDevelopmentRole-spaceName service role, or
you can create an IAM role named CodeCatalystBuildRoleforS3Access. This role uses a policy with scoped permissions
that CodeCatalyst needs to run tasks on AWS CloudFormation resources in your AWS account.
This role gives permissions to do the following:
-
Write to Amazon S3 buckets.
-
Support building of resources with AWS CloudFormation. This requires Amazon S3 access.
This role uses the following policy:
{ "Version": "2012-10-17", "Statement": [{ "Action": [ "s3:PutObject", "iam:PassRole" ], "Resource": "resource_ARN", "Effect": "Allow" }] }
Note
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
"Resource": "*"
CodeCatalyst build role for AWS CloudFormation
For CodeCatalyst workflow build actions, you can use the default CodeCatalystWorkflowDevelopmentRole-spaceName service role, or
you can create an IAM role with the necessary permissions. This role uses a policy with
scoped permissions that CodeCatalyst needs to run tasks on AWS CloudFormation resources in your AWS account.
This role gives permissions to do the following:
-
Support building of resources with AWS CloudFormation. This is required along with the CodeCatalyst build role for Amazon S3 access and the CodeCatalyst deploy role for AWS CloudFormation.
The following AWS managed policies should be attached to this role:
-
AWSCloudFormationFullAccess
-
IAMFullAccess
-
AmazonS3FullAccess
-
AmazonAPIGatewayAdministrator
-
AWSLambdaFullAccess
CodeCatalyst build role for CDK
For CodeCatalyst workflows that run CDK build actions, such as Modern three-tier web application, you can
use the default CodeCatalystWorkflowDevelopmentRole-spaceName service role, or you can create an IAM role with the necessary
permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to bootstrap
and run CDK build commands for AWS CloudFormation resources in your AWS account.
This role gives permissions to do the following:
-
Write to Amazon S3 buckets.
-
Support building of CDK constructs and AWS CloudFormation resource stacks. This requires access to Amazon S3 for artifact storage, Amazon ECR for image repository support, and SSM for system governance and monitoring for virtual instances.
This role uses the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:*", "ecr:*", "ssm:*", "s3:*", "iam:PassRole", "iam:GetRole", "iam:CreateRole", "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "*" } ] }
Note
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
"Resource": "*"
CodeCatalyst deploy role for AWS CloudFormation
For CodeCatalyst workflow deploy actions that use AWS CloudFormation, you can use the default CodeCatalystWorkflowDevelopmentRole-spaceName
service role, or you can use a policy with scoped permissions that CodeCatalyst needs to run tasks
on AWS CloudFormation resources in your AWS account.
This role gives permissions to do the following:
-
Allow CodeCatalyst to invoke a Λ function to perform blue/green deployment through AWS CloudFormation.
-
Allow CodeCatalyst to create and update stacks and changesets in AWS CloudFormation.
This role uses the following policy:
{"Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:Describe*", "cloudformation:UpdateStack", "cloudformation:CreateChangeSet", "cloudformation:DeleteChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:List*", "iam:PassRole" ], "Resource": "resource_ARN", "Effect": "Allow" }
Note
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
"Resource": "*"
CodeCatalyst deploy role for Amazon EC2
CodeCatalyst workflow deploy actions use an IAM role with the necessary permissions. This
role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Amazon EC2 resources
in your AWS account. The default policy for the CodeCatalystWorkflowDevelopmentRole-spaceName role does not
include permissions for Amazon EC2 or Amazon EC2 Auto Scaling.
This role gives permissions to do the following:
-
Create Amazon EC2 deployments.
-
Read the tags on an instance or identify an Amazon EC2 instance by Auto Scaling group names.
-
Read, create, update, and delete Amazon EC2 Auto Scaling groups, lifecycle hooks, and scaling policies.
-
Publish information to Amazon SNS topics.
-
Retrieve information about CloudWatch alarms.
-
Read and update Elastic Load Balancing.
This role uses the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:CompleteLifecycleAction", "autoscaling:DeleteLifecycleHook", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLifecycleHooks", "autoscaling:PutLifecycleHook", "autoscaling:RecordLifecycleActionHeartbeat", "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:EnableMetricsCollection", "autoscaling:DescribePolicies", "autoscaling:DescribeScheduledActions", "autoscaling:DescribeNotificationConfigurations", "autoscaling:SuspendProcesses", "autoscaling:ResumeProcesses", "autoscaling:AttachLoadBalancers", "autoscaling:AttachLoadBalancerTargetGroups", "autoscaling:PutScalingPolicy", "autoscaling:PutScheduledUpdateGroupAction", "autoscaling:PutNotificationConfiguration", "autoscaling:PutWarmPool", "autoscaling:DescribeScalingActivities", "autoscaling:DeleteAutoScalingGroup", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:TerminateInstances", "tag:GetResources", "sns:Publish", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:DeregisterTargets" ], "Resource": "resource_ARN" } ] }
Note
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
"Resource": "*"
CodeCatalyst deploy role for Amazon ECS
For CodeCatalyst workflow actions, you can create an IAM role with the necessary
permissions. You can use the default CodeCatalystWorkflowDevelopmentRole-spaceName service role, or you can create an IAM role
for CodeCatalyst deploy actions to use for Lambda deployments. This role uses a policy with scoped
permissions that CodeCatalyst needs to run tasks on Amazon ECS resources in your AWS account.
This role gives permissions to do the following:
-
Initiate rolling Amazon ECS deployment on behalf of a CodeCatalyst user, in an account specified in the CodeCatalyst connection.
-
Read, update, and delete Amazon ECS task sets.
-
Update Elastic Load Balancing target groups, listeners, and rules.
-
Invoke Lambda functions.
-
Access revision files in Amazon S3 buckets.
-
Retrieve information about CloudWatch alarms.
-
Publish information to Amazon SNS topics.
This role uses the following policy:
{ "Version": "2012-10-17", "Statement": [{ "Action":[ "ecs:DescribeServices", "ecs:CreateTaskSet", "ecs:DeleteTaskSet", "ecs:ListClusters", "ecs:RegisterTaskDefinition", "ecs:UpdateServicePrimaryTaskSet", "ecs:UpdateService", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:ModifyRule", "lambda:InvokeFunction", "lambda:ListFunctions", "cloudwatch:DescribeAlarms", "sns:Publish", "sns:ListTopics", "s3:GetObject", "s3:GetObjectVersion", "codedeploy:CreateApplication", "codedeploy:CreateDeployment", "codedeploy:CreateDeploymentGroup", "codedeploy:GetApplication", "codedeploy:GetDeployment", "codedeploy:GetDeploymentGroup", "codedeploy:ListApplications", "codedeploy:ListDeploymentGroups", "codedeploy:ListDeployments", "codedeploy:StopDeployment", "codedeploy:GetDeploymentTarget", "codedeploy:ListDeploymentTargets", "codedeploy:GetDeploymentConfig", "codedeploy:GetApplicationRevision", "codedeploy:RegisterApplicationRevision", "codedeploy:BatchGetApplicationRevisions", "codedeploy:BatchGetDeploymentGroups", "codedeploy:BatchGetDeployments", "codedeploy:BatchGetApplications", "codedeploy:ListApplicationRevisions", "codedeploy:ListDeploymentConfigs", "codedeploy:ContinueDeployment" ], "Resource":"*", "Effect":"Allow" },{"Action":[ "iam:PassRole" ], "Effect":"Allow", "Resource":"*", "Condition":{"StringLike":{"iam:PassedToService":[ "ecs-tasks.amazonaws.com", "codedeploy.amazonaws.com" ] } } }] }
Note
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
"Resource": "*"
CodeCatalyst deploy role for Lambda
For CodeCatalyst workflow actions, you can create an IAM role with the necessary permissions.
You can use the default CodeCatalystWorkflowDevelopmentRole-spaceName service role, or or you create an IAM role for CodeCatalyst
deploy actions to use for Lambda deployments. This role uses a policy with scoped permissions
that CodeCatalyst needs to run tasks on Lambda resources in your AWS account.
This role gives permissions to do the following:
-
Read, update, and invoke Lambda functions and aliases.
-
Access revision files in Amazon S3 buckets.
-
Retrieve information about CloudWatch Events alarms.
-
Publish information to Amazon SNS topics.
This role uses the following policy:
*{* "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudwatch:DescribeAlarms", "lambda:UpdateAlias", "lambda:GetAlias", "lambda:GetProvisionedConcurrencyConfig", "sns:Publish" ], "Resource": "resource_ARN", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::/CodeDeploy/", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "", "Condition": { "StringEquals": { "s3:ExistingObjectTag/UseWithCodeDeploy": "true" } }, "Effect": "Allow" }, { "Action": [ "lambda:InvokeFunction" ], "Resource": "arn:aws:lambda:::function:CodeDeployHook_*", "Effect": "Allow" } ] }
Note
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
"Resource": "*"
CodeCatalyst deploy role for Lambda
For CodeCatalyst workflow actions, you can use the default CodeCatalystWorkflowDevelopmentRole-spaceName service role, or you can
create an IAM role with the necessary permissions. This role uses a policy with scoped
permissions that CodeCatalyst needs to run tasks on Lambda resources in your AWS account.
This role gives permissions to do the following:
-
Read, update, and invoke Lambda functions and aliases.
-
Access revision files in Amazon S3 buckets.
-
Retrieve information about CloudWatch alarms.
-
Publish information to Amazon SNS topics.
This role uses the following policy:
*{* "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudwatch:DescribeAlarms", "lambda:UpdateAlias", "lambda:GetAlias", "lambda:GetProvisionedConcurrencyConfig", "sns:Publish" ], "Resource": "resource_ARN", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::/CodeDeploy/", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "", "Condition": { "StringEquals": { "s3:ExistingObjectTag/UseWithCodeDeploy": "true" } }, "Effect": "Allow" }, { "Action": [ "lambda:InvokeFunction" ], "Resource": "arn:aws:lambda:::function:CodeDeployHook_*", "Effect": "Allow" } ] }
Note
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
"Resource": "*"
CodeCatalyst deploy role for AWS SAM
For CodeCatalyst workflow actions, you can use the default CodeCatalystWorkflowDevelopmentRole-spaceName service role, or you can
create an IAM role with the necessary permissions. This role uses a policy with scoped
permissions that CodeCatalyst needs to run tasks on AWS SAM and AWS CloudFormation resources in your AWS account.
This role gives permissions to do the following:
-
Allow CodeCatalyst to invoke a Lambda function to perform deployment of serverless and AWS SAM CLI applications.
-
Allow CodeCatalyst to create and update stacks and changesets in AWS CloudFormation.
This role uses the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "iam:PassRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:CreateRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "cloudformation:*", "lambda:*", "apigateway:*" ], "Resource": "*" } ] }
Note
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
"Resource": "*"
CodeCatalyst read only role for Amazon EC2
For CodeCatalyst workflow actions, you can create an IAM role with the necessary
permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks
on Amazon EC2 resources in your AWS account. The CodeCatalystWorkflowDevelopmentRole-spaceName service role does not
include permissions for Amazon EC2 or the described actions for Amazon CloudWatch.
This role gives permissions to do the following:
-
Get status of Amazon EC2 instances.
-
Get CloudWatch metrics for Amazon EC2 instances.
This role uses the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:Describe", "Resource": "resource_ARN" }, { "Effect": "Allow", "Action": "elasticloadbalancing:Describe", "Resource": "resource_ARN" }, { "Effect": "Allow", "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudwatch:Describe" ], "Resource": "resource_ARN" }, { "Effect": "Allow", "Action": "autoscaling:Describe", "Resource": "resource_ARN" } ] }
Note
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
"Resource": "*"
CodeCatalyst read only role for Amazon ECS
For CodeCatalyst workflow actions, you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Amazon ECS resources in your AWS account.
This role gives permissions to do the following:
-
Read Amazon ECS task sets.
-
Retrieve information about CloudWatch alarms.
This role uses the following policy:
*{* "Version": "2012-10-17", "Statement": [ { "Action": [ "ecs:DescribeServices", "cloudwatch:DescribeAlarms" ], "Resource": "resource_ARN", "Effect": "Allow" }, { "Action": [ "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeRules" ], "Resource": "resource_ARN", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "", "Condition": { "StringEquals": { "s3:ExistingObjectTag/UseWithCodeDeploy": "true" } }, "Effect": "Allow" }, { "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": [ "arn:aws:iam:::role/ecsTaskExecutionRole", "arn:aws:iam:::role/ECSTaskExecution" ], "Condition": { "StringLike": { "iam:PassedToService": [ "ecs-tasks.amazonaws.com" ] } } } ] }
Note
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
"Resource": "*"
CodeCatalyst read only role for Lambda
For CodeCatalyst workflow actions, you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Lambda resources in your AWS account.
This role gives permissions for the following:
-
Read Lambda functions and aliases.
-
Access revision files in Amazon S3 buckets.
-
Retrieve information about CloudWatch alarms.
This role uses the following policy.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudwatch:DescribeAlarms", "lambda:GetAlias", "lambda:GetProvisionedConcurrencyConfig" ], "Resource": "resource_ARN", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::/CodeDeploy/", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "", "Condition": { "StringEquals": { "s3:ExistingObjectTag/UseWithCodeDeploy": "true" } }, "Effect": "Allow" } ] }
Note
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
"Resource": "*"
Creating roles manually for workflow actions
CodeCatalyst workflow actions use IAM roles that you create called the build role, the deploy role, and the stack role.
Follow these steps to create these roles in IAM.
To create a deploy role
-
Create a policy for the role, as follows:
-
Sign in to AWS.
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Policies.
-
Choose Create policy.
-
Choose the JSON tab.
-
Delete the existing code.
-
Paste the following code:
{ "Version": "2012-10-17", "Statement": [{ "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:Describe*", "cloudformation:UpdateStack", "cloudformation:CreateChangeSet", "cloudformation:DeleteChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:List*", "iam:PassRole" ], "Resource": "*", "Effect": "Allow" }] }Note
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
"Resource": "*" -
Choose Next: Tags.
-
Choose Next: Review.
-
In Name, enter:
codecatalyst-deploy-policy -
Choose Create policy.
You have now created a permissions policy.
-
-
Create the deploy role, as follows:
-
In the navigation pane, choose Roles, and then choose Create role.
-
Choose Custom trust policy.
-
Delete the existing custom trust policy.
-
Add the following custom trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "codecatalyst-runner.amazonaws.com", "codecatalyst.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } -
Choose Next.
-
In Permissions policies, search for
codecatalyst-deploy-policyand select its check box. -
Choose Next.
-
For Role name, enter:
codecatalyst-deploy-role -
For Role description, enter:
CodeCatalyst deploy role -
Choose Create role.
You have now created a deploy role with a trust policy and permissions policy.
-
-
Obtain the deploy role ARN, as follows:
-
In the navigation pane, choose Roles.
-
In the search box, enter the name of the role you just created (
codecatalyst-deploy-role). -
Choose the role from the list.
The role's Summary page appears.
-
At the top, copy the ARN value.
You have now created the deploy role with the appropriate permissions, and obtained its ARN.
-
To create a build role
-
Create a policy for the role, as follows:
-
Sign in to AWS.
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Policies.
-
Choose Create policy.
-
Choose the JSON tab.
-
Delete the existing code.
-
Paste the following code:
{ "Version": "2012-10-17", "Statement": [{ "Action": [ "s3:PutObject", "iam:PassRole" ], "Resource": "*", "Effect": "Allow" }] }Note
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
"Resource": "*" -
Choose Next: Tags.
-
Choose Next: Review.
-
In Name, enter:
codecatalyst-build-policy -
Choose Create policy.
You have now created a permissions policy.
-
-
Create the build role, as follows:
-
In the navigation pane, choose Roles, and then choose Create role.
-
Choose Custom trust policy.
-
Delete the existing custom trust policy.
-
Add the following custom trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "codecatalyst-runner.amazonaws.com", "codecatalyst.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } -
Choose Next.
-
In Permissions policies, search for
codecatalyst-build-policyand select its check box. -
Choose Next.
-
For Role name, enter:
codecatalyst-build-role -
For Role description, enter:
CodeCatalyst build role -
Choose Create role.
You have now created a build role with a trust policy and permissions policy.
-
-
Obtain the build role ARN, as follows:
-
In the navigation pane, choose Roles.
-
In the search box, enter the name of the role you just created (
codecatalyst-build-role). -
Choose the role from the list.
The role's Summary page appears.
-
At the top, copy the ARN value.
You have now created the build role with the appropriate permissions, and obtained its ARN.
-
To create a stack role
Note
You don't have to create a stack role, although doing so is recommended for security reasons. If you don't create the stack role, you'll need to add the permissions policies described further on in this procedure to the deploy role.
-
Sign in to AWS using the account where you want to deploy your stack.
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Roles. and then choose Create role.
-
At the top, choose AWS service.
-
From the list of services, choose CloudFormation.
-
Choose Next: Permissions.
-
In the search box, add any policies that are required to access the resources in your stack. For example, if your stack includes an AWS Lambda function, you need to add a policy that grants access to Lambda.
Tip
If you're unsure which policies to add, you can omit them for now. When you test the action, if you don't have the right permissions, AWS CloudFormation generates errors that show which permissions you need to add.
-
Choose Next: Tags.
-
Choose Next: Review.
-
For Role name, enter:
codecatalyst-stack-role -
Choose Create role.
-
To obtain the stack role's ARN, do the following:
-
In the navigation pane, choose Roles.
-
In the search box, enter the name of the role you just created (
codecatalyst-stack-role). -
Choose the role from the list.
-
On the Summary page, copy the Role ARN value.
-
Using AWS CloudFormation to create policies and roles in IAM
You can choose to create and use AWS CloudFormation templates to create the policies and roles you need to access resources in an AWS account for your CodeCatalyst projects and workflows. AWS CloudFormation is a service that helps you model and set up your AWS resources so that you can spend less time managing those resources and more time focusing on your applications that run on AWS. If you intend to create roles in multiple AWS accounts, creating a template can help you perform this task more quickly.
The following example template creates a deploy action role and policy.
Parameters: CodeCatalystAccountId: Type: String Description: Account ID from the connections page ExternalId: Type: String Description: External ID from the connections page Resources: CrossAccountRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: AWS: - !Ref CodeCatalystAccountId Action: - 'sts:AssumeRole' Condition: StringEquals: sts:ExternalId: !Ref ExternalId Path: / Policies: - PolicyName: CodeCatalyst-CloudFormation-action-policy PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - 'cloudformation:CreateStack' - 'cloudformation:DeleteStack' - 'cloudformation:Describe*' - 'cloudformation:UpdateStack' - 'cloudformation:CreateChangeSet' - 'cloudformation:DeleteChangeSet' - 'cloudformation:ExecuteChangeSet' - 'cloudformation:SetStackPolicy' - 'cloudformation:ValidateTemplate' - 'cloudformation:List*' - 'iam:PassRole' Resource: '*'
Creating the role manually for the web application blueprint
The CodeCatalyst web application blueprint uses IAM roles that you create called the build role for CDK, the deploy role, and the stack role.
Follow these steps to create the role in IAM.
To create a build role
-
Create a policy for the role, as follows:
-
Sign in to AWS.
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Policies.
-
Choose Create Policy.
-
Choose the JSON tab.
-
Delete the existing code.
-
Paste the following code:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:*", "ecr:*", "ssm:*", "s3:*", "iam:PassRole", "iam:GetRole", "iam:CreateRole", "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "*" } ] }Note
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
"Resource": "*" -
Choose Next: Tags.
-
Choose Next: Review.
-
In Name, enter:
codecatalyst-webapp-build-policy -
Choose Create policy.
You have now created a permissions policy.
-
-
Create the build role, as follows:
-
In the navigation pane, choose Roles, and then choose Create role.
-
Choose Custom trust policy.
-
Delete the existing custom trust policy.
-
Add the following custom trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "codecatalyst-runner.amazonaws.com", "codecatalyst.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } -
Choose Next.
-
Attach the permissions policy to the build role. On the Add permissions page, in the Permissions policies section, search for
codecatalyst-webapp-build-policyand select its check box. -
Choose Next.
-
For Role name, enter:
codecatalyst-webapp-build-role -
For Role description, enter:
CodeCatalyst Web app build role -
Choose Create role.
You have now created a build role with a trust policy and permissions policy.
-
-
Attach the permissions policy to the build role, as follows:
-
In the navigation pane, choose Roles, and then search for
codecatalyst-webapp-build-role. -
Choose
codecatalyst-webapp-build-roleto display its details. -
In the Permissions tab, choose Add permissions, and then choose Attach policies.
-
Search for
codecatalyst-webapp-build-policy, select its check box, and then choose Attach policies.You have now attached the permissions policy to the build role. The build role now has two policies: a permissions policy and a trust policy.
-
-
Obtain the build role ARN, as follows:
-
In the navigation pane, choose Roles.
-
In the search box, enter the name of the role you just created (
codecatalyst-webapp-build-role). -
Choose the role from the list.
The role's Summary page appears.
-
At the top, copy the ARN value.
You have now created the build role with the appropriate permissions, and obtained its ARN.
-
Creating roles manually for the SAM blueprint
The CodeCatalyst SAM blueprint uses IAM roles that you create called the build role for CloudFormation and the deploy role for SAM.
Follow these steps to create the roles in IAM.
To create a build role for CloudFormation
-
Create a policy for the role, as follows:
-
Sign in to AWS.
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Policies.
-
Choose Create Policy.
-
Choose the JSON tab.
-
Delete the existing code.
-
Paste the following code:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*", "cloudformation:*" ], "Resource": "*" } ] }Note
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
"Resource": "*" -
Choose Next: Tags.
-
Choose Next: Review.
-
In Name, enter:
codecatalyst-SAM-build-policy -
Choose Create policy.
You have now created a permissions policy.
-
-
Create the build role, as follows:
-
In the navigation pane, choose Roles, and then choose Create role.
-
Choose Custom trust policy.
-
Delete the existing custom trust policy.
-
Add the following custom trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "codecatalyst-runner.amazonaws.com", "codecatalyst.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } -
Choose Next.
-
Attach the permissions policy to the build role. On the Add permissions page, in the Permissions policies section, search for
codecatalyst-SAM-build-policyand select its check box. -
Choose Next.
-
For Role name, enter:
codecatalyst-SAM-build-role -
For Role description, enter:
CodeCatalyst SAM build role -
Choose Create role.
You have now created a build role with a trust policy and permissions policy.
-
-
Attach the permissions policy to the build role, as follows:
-
In the navigation pane, choose Roles, and then search for
codecatalyst-SAM-build-role. -
Choose
codecatalyst-SAM-build-roleto display its details. -
In the Permissions tab, choose Add permissions, and then choose Attach policies.
-
Search for
codecatalyst-SAM-build-policy, select its check box, and then choose Attach policies.You have now attached the permissions policy to the build role. The build role now has two policies: a permissions policy and a trust policy.
-
-
Obtain the build role ARN, as follows:
-
In the navigation pane, choose Roles.
-
In the search box, enter the name of the role you just created (
codecatalyst-SAM-build-role). -
Choose the role from the list.
The role's Summary page appears.
-
At the top, copy the ARN value.
You have now created the build role with the appropriate permissions, and obtained its ARN.
-
To create a deploy role for SAM
-
Create a policy for the role, as follows:
-
Sign in to AWS.
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Policies.
-
Choose Create Policy.
-
Choose the JSON tab.
-
Delete the existing code.
-
Paste the following code:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "iam:PassRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:CreateRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "cloudformation:*", "lambda:*", "apigateway:*" ], "Resource": "*" } ] }Note
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
"Resource": "*" -
Choose Next: Tags.
-
Choose Next: Review.
-
In Name, enter:
codecatalyst-SAM-deploy-policy -
Choose Create policy.
You have now created a permissions policy.
-
-
Create the build role, as follows:
-
In the navigation pane, choose Roles, and then choose Create role.
-
Choose Custom trust policy.
-
Delete the existing custom trust policy.
-
Add the following custom trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "codecatalyst-runner.amazonaws.com", "codecatalyst.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } -
Choose Next.
-
Attach the permissions policy to the build role. On the Add permissions page, in the Permissions policies section, search for
codecatalyst-SAM-deploy-policyand select its check box. -
Choose Next.
-
For Role name, enter:
codecatalyst-SAM-deploy-role -
For Role description, enter:
CodeCatalyst SAM deploy role -
Choose Create role.
You have now created a build role with a trust policy and permissions policy.
-
-
Attach the permissions policy to the build role, as follows:
-
In the navigation pane, choose Roles, and then search for
codecatalyst-SAM-deploy-role. -
Choose
codecatalyst-SAM-deploy-roleto display its details. -
In the Permissions tab, choose Add permissions, and then choose Attach policies.
-
Search for
codecatalyst-SAM-deploy-policy, select its check box, and then choose Attach policies.You have now attached the permissions policy to the build role. The build role now has two policies: a permissions policy and a trust policy.
-
-
Obtain the build role ARN, as follows:
-
In the navigation pane, choose Roles.
-
In the search box, enter the name of the role you just created (
codecatalyst-SAM-deploy-role). -
Choose the role from the list.
The role's Summary page appears.
-
At the top, copy the ARN value.
You have now created the build role with the appropriate permissions, and obtained its ARN.
-
