Step 4: Create an IAM Instance Profile for Your Amazon EC2 Instances
Note
If you are using the Amazon ECS or AWS Lambda compute platform , skip this step. Amazon ECS deployments deploy an Amazon ECS service, and AWS Lambda deployments deploy a serverless Lambda function version, so an instance profile for Amazon EC2 instances is not required.
Your Amazon EC2 instances need permission to access the Amazon S3 buckets or GitHub repositories where the applications are stored. To launch Amazon EC2 instances that are compatible with CodeDeploy, you must create an additional IAM role, an instance profile. These instructions show you how to create an IAM instance profile to attach to your Amazon EC2 instances. This role gives CodeDeploy permission to access the Amazon S3 buckets or GitHub repositories where your applications are stored.
You can create an IAM instance profile with the AWS CLI, the IAM console, or the IAM APIs.
Note
You can attach an IAM instance profile to an Amazon EC2 instance as you launch it or to a previously launched instance. For more information, see Instance Profiles.
Topics
Create an IAM Instance Profile for Your Amazon EC2 Instances (CLI)
In these steps, we assume you have already followed the instructions in the first three steps of Getting Started with CodeDeploy.
-
On your development machine, create a text file named
CodeDeployDemo-EC2-Trust.json. Paste the following content, which allows Amazon EC2 to work on your behalf:{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } -
In the same directory, create a text file named
CodeDeployDemo-EC2-Permissions.json. Paste the following content:{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:Get*", "s3:List*" ], "Effect": "Allow", "Resource": "*" } ] }Note
We recommend that you restrict this policy to only those Amazon S3 buckets your Amazon EC2 instances must access. Make sure to give access to the Amazon S3 buckets that contain the CodeDeploy agent. Otherwise, an error might occur when the CodeDeploy agent is installed or updated on the instances. To grant the IAM instance profile access to only some CodeDeploy resource kit buckets in Amazon S3, use the following policy, but remove the lines for buckets you want to prevent access to:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::replace-with-your-s3-bucket-name/*", "arn:aws:s3:::aws-codedeploy-us-east-2/*", "arn:aws:s3:::aws-codedeploy-us-east-1/*", "arn:aws:s3:::aws-codedeploy-us-west-1/*", "arn:aws:s3:::aws-codedeploy-us-west-2/*", "arn:aws:s3:::aws-codedeploy-ca-central-1/*", "arn:aws:s3:::aws-codedeploy-eu-west-1/*", "arn:aws:s3:::aws-codedeploy-eu-west-2/*", "arn:aws:s3:::aws-codedeploy-eu-west-3/*", "arn:aws:s3:::aws-codedeploy-eu-central-1/*", "arn:aws:s3:::aws-codedeploy-ap-east-1/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-1/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-2/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-1/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-2/*", "arn:aws:s3:::aws-codedeploy-ap-south-1/*", "arn:aws:s3:::aws-codedeploy-sa-east-1/*" ] } ] } -
From the same directory, call the create-role command to create an IAM role named
CodeDeployDemo-EC2-Instance-Profile, based on the information in the first file:Important
Be sure to include
file://before the file name. It is required in this command.aws iam create-role --role-name CodeDeployDemo-EC2-Instance-Profile --assume-role-policy-document file://CodeDeployDemo-EC2-Trust.json -
From the same directory, call the put-role-policy command to give the role named
CodeDeployDemo-EC2-Instance-Profilethe permissions based on the information in the second file:Important
Be sure to include
file://before the file name. It is required in this command.aws iam put-role-policy --role-name CodeDeployDemo-EC2-Instance-Profile --policy-name CodeDeployDemo-EC2-Permissions --policy-document file://CodeDeployDemo-EC2-Permissions.json -
Call the create-instance-profile command followed by the add-role-to-instance-profile command to create an IAM instance profile named
CodeDeployDemo-EC2-Instance-Profile. The instance profile allows Amazon EC2 to pass the IAM role namedCodeDeployDemo-EC2-Instance-Profileto an Amazon EC2 instance when the instance is first launched:aws iam create-instance-profile --instance-profile-name CodeDeployDemo-EC2-Instance-Profile aws iam add-role-to-instance-profile --instance-profile-name CodeDeployDemo-EC2-Instance-Profile --role-name CodeDeployDemo-EC2-Instance-ProfileIf you need to get the name of the IAM instance profile, see list-instance-profiles-for-role in the IAM section of the AWS CLI Reference.
You've now created an IAM instance profile to attach to your Amazon EC2 instances. For more information, see IAM Roles for Amazon EC2 in the Amazon EC2 User Guide.
Create an IAM Instance Profile for Your Amazon EC2 Instances (Console)
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
-
In the IAM console, in the navigation pane, choose Policies, and then choose Create policy. (If a Get Started button appears, choose it, and then choose Create Policy.)
-
On the Create policy page, paste the following in the JSON tab:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:Get*", "s3:List*" ], "Effect": "Allow", "Resource": "*" } ] }Note
We recommend that you restrict this policy to only those Amazon S3 buckets your Amazon EC2 instances must access. Make sure to give access to the Amazon S3 buckets that contain the CodeDeploy agent. Otherwise, an error might occur when the CodeDeploy agent is installed or updated on the instances. To grant the IAM instance profile access to only some CodeDeploy resource kit buckets in Amazon S3, use the following policy, but remove the lines for buckets you want to prevent access to:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::replace-with-your-s3-bucket-name/*", "arn:aws:s3:::aws-codedeploy-us-east-2/*", "arn:aws:s3:::aws-codedeploy-us-east-1/*", "arn:aws:s3:::aws-codedeploy-us-west-1/*", "arn:aws:s3:::aws-codedeploy-us-west-2/*", "arn:aws:s3:::aws-codedeploy-ca-central-1/*", "arn:aws:s3:::aws-codedeploy-eu-west-1/*", "arn:aws:s3:::aws-codedeploy-eu-west-2/*", "arn:aws:s3:::aws-codedeploy-eu-west-3/*", "arn:aws:s3:::aws-codedeploy-eu-central-1/*", "arn:aws:s3:::aws-codedeploy-ap-east-1/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-1/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-2/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-1/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-2/*", "arn:aws:s3:::aws-codedeploy-ap-south-1/*", "arn:aws:s3:::aws-codedeploy-sa-east-1/*" ] } ] } -
Choose Review policy.
-
On the Create policy page, type
CodeDeployDemo-EC2-Permissionsin the Policy Name box. -
(Optional) For Description, type a description for the policy.
-
Choose Create Policy.
-
In the navigation pane, choose Roles, and then choose Create role.
-
On the Create role page, choose AWS service, and from the Choose the service that will use this role list, choose EC2.
-
From the Select your use case list, choose EC2.
-
Choose Next: Permissions.
-
On the Attached permissions policy page, choose the policy you just created, and then choose Next: Tags. If you used the suggested name, it is
CodeDeployDemo-EC2-Permissions. -
Leave the Add tags (optional) page unchanged, then choose Next: Review.
-
On the Review page, in Role name, enter a name for the service role (for example,
CodeDeployDemo-EC2-Instance-Profile), and then choose Create role.You can also enter a description for this service role in Role description.
You've now created an IAM instance profile to attach to your Amazon EC2 instances. For more information, see IAM Roles for Amazon EC2 in the Amazon EC2 User Guide.
