Use the register-on-premises-instance command (IAM user ARN) to register an on-premises instance - AWS CodeDeploy

Use the register-on-premises-instance command (IAM user ARN) to register an on-premises instance

Important

Registering an instance using an IAM user is not recommended because it uses static (permanent) credentials for authentication. For improved security, we recommend registering an instance using temporary credentials for authentication. For more information, see Use the register-on-premises-instance command (IAM Session ARN) to register an on-premises instance.

Important

Make sure you have a plan in place to rotate the IAM user's access keys (permanent credentials). For more information, see Rotating access keys.

Follow these instructions to configure an on-premises instance and register and tag it with CodeDeploy mostly on your own, using static IAM user credentials for authentication.

Step 1: Create an IAM user for the on-premises instance

Create an IAM user that the on-premises instance will use to authenticate and interact with CodeDeploy.

Important

You must create a separate IAM user for each participating on-premises instance. If you try to reuse an individual IAM user for multiple on-premises instances, you might not be able to successfully register or tag those on-premises instances with CodeDeploy. Deployments to those on-premises instances might be stuck in a perpetual pending state or fail altogether.

We recommend that you assign the IAM user a name that identifies its purpose, such as CodeDeployUser-OnPrem.

You can use the AWS CLI or the IAM console to create an IAM user. For information, see Creating an IAM user in your AWS account.

Important

Whether you use the AWS CLI or the IAM console to create a new IAM user, make a note of the user ARN provided for the user. You will need this information later in Step 4: Add a configuration file to the on-premises instance and Step 8: Register the on-premises instance with CodeDeploy.

Step 2: Assign permissions to the IAM user

If your on-premises instance will be deploying application revisions from Amazon S3 buckets, you must assign to the IAM user the permissions to interact with those buckets. You can use the AWS CLI or the IAM console to assign permissions.

Note

If you will be deploying application revisions only from GitHub repositories, skip this step and go directly to Step 3: Get the IAM user credentials. (You will still need information about the IAM user you created in Step 1: Create an IAM user for the on-premises instance. It will be used in later steps.)

To assign permissions (CLI)
  1. Create a file with the following policy contents on the Amazon EC2 instance or device you are using to call the AWS CLI. Name the file something like CodeDeploy-OnPrem-Permissions.json, and then save the file.

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:Get*", "s3:List*" ], "Effect": "Allow", "Resource": "*" } ] }
    Note

    We recommend that you restrict this policy to only those Amazon S3 buckets your on-premises instance needs to access. If you restrict this policy, make sure to also give access to the Amazon S3 buckets that contain the AWS CodeDeploy agent. Otherwise, an error might occur whenever the CodeDeploy agent is installed or updated on the associated on-premises instance.

    For example:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket/*", "arn:aws:s3:::aws-codedeploy-us-east-2/*", "arn:aws:s3:::aws-codedeploy-us-east-1/*", "arn:aws:s3:::aws-codedeploy-us-west-1/*", "arn:aws:s3:::aws-codedeploy-us-west-2/*", "arn:aws:s3:::aws-codedeploy-ca-central-1/*", "arn:aws:s3:::aws-codedeploy-eu-west-1/*", "arn:aws:s3:::aws-codedeploy-eu-west-2/*", "arn:aws:s3:::aws-codedeploy-eu-west-3/*", "arn:aws:s3:::aws-codedeploy-eu-central-1/*", "arn:aws:s3:::aws-codedeploy-eu-central-2/*", "arn:aws:s3:::aws-codedeploy-eu-north-1/*", "arn:aws:s3:::aws-codedeploy-eu-south-1/*", "arn:aws:s3:::aws-codedeploy-eu-south-2/*", "arn:aws:s3:::aws-codedeploy-il-central-1/*", "arn:aws:s3:::aws-codedeploy-ap-east-1/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-1/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-2/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-3/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-1/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-2/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-3/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-4/*", "arn:aws:s3:::aws-codedeploy-ap-south-1/*", "arn:aws:s3:::aws-codedeploy-ap-south-2/*", "arn:aws:s3:::aws-codedeploy-me-central-1/*", "arn:aws:s3:::aws-codedeploy-me-south-1/*", "arn:aws:s3:::aws-codedeploy-sa-east-1/*" ] } ] }
  2. Call the put-user-policy command, specifying the name of the IAM user (with the --user-name option), a name for the policy (with the --policy-name option), and the path to the newly created policy document (with the --policy-document option). For example, assuming that the CodeDeploy-OnPrem-Permissions.json file is in the same directory (folder) from which you're calling this command:

    Important

    Be sure to include file:// before the file name. It is required in this command.

    aws iam put-user-policy --user-name CodeDeployUser-OnPrem --policy-name CodeDeploy-OnPrem-Permissions --policy-document file://CodeDeploy-OnPrem-Permissions.json
To assign permissions (console)
  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies, and then choose Create Policy. (If a Get Started button appears, choose it, and then choose Create Policy.)

  3. Next to Create Your Own Policy, choose Select.

  4. In the Policy Name box, type a name for this policy (for example, CodeDeploy-OnPrem-Permissions).

  5. In the Policy Document box, type or paste the following permissions expression, which allows AWS CodeDeploy to deploy application revisions from any Amazon S3 bucket specified in the policy to the on-premises instance on behalf of the IAM user:

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:Get*", "s3:List*" ], "Effect": "Allow", "Resource": "*" } ] }
  6. Choose Create Policy.

  7. In the navigation pane, choose Users.

  8. In the list of users, browse to and choose the name of the IAM user you created in Step 1: Create an IAM user for the on-premises instance.

  9. On the Permissions tab, in Managed Policies, choose Attach Policy.

  10. Select the policy named CodeDeploy-OnPrem-Permissions, and then choose Attach Policy.

Step 3: Get the IAM user credentials

Get the secret key ID and the secret access key for the IAM user. You will need them for Step 4: Add a configuration file to the on-premises instance. You can use the AWS CLI or the IAM console to get the secret key ID and the secret access key.

Note

If you already have the secret key ID and the secret access key, skip this step and go directly to Step 4: Add a configuration file to the on-premises instance.

Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS.

To grant users programmatic access, choose one of the following options.

Which user needs programmatic access? To By

Workforce identity

(Users managed in IAM Identity Center)

Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs.

Following the instructions for the interface that you want to use.

IAM Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. Following the instructions in Using temporary credentials with AWS resources in the IAM User Guide.
IAM

(Not recommended)

Use long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs.

Following the instructions for the interface that you want to use.

To get the credentials (CLI)
  1. Call the list-access-keys command, specifying the name of the IAM user (with the --user-name option) and querying for just the access key IDs (with the --query and --output options). For example:

    aws iam list-access-keys --user-name CodeDeployUser-OnPrem --query "AccessKeyMetadata[*].AccessKeyId" --output text
  2. If no keys appear in the output or information about only one key appears in the output, call the create-access-key command, specifying the name of the IAM user (with the --user-name option):

    aws iam create-access-key --user-name CodeDeployUser-OnPrem

    In the output of the call to the create-access-key command, note the value of the AccessKeyId and SecretAccessKey fields. You will need this information in Step 4: Add a configuration file to the on-premises instance.

    Important

    This will be the only time you will have access to this secret access key. If you forget or lose access to this secret access key, you will need to generate a new one by following the steps in Step 3: Get the IAM user credentials.

  3. If two access keys are already listed, you must delete one of them by calling the delete-access-key command, specifying the name of the IAM user (with the --user-name option), and the ID of the access key to delete (with the --access-key-id option). Then call the create-access-key command, as described earlier in this step. Here's an example of calling the delete-access-key command:

    aws iam delete-access-key --user-name CodeDeployUser-OnPrem --access-key-id access-key-ID
    Important

    If you call the delete-access-key command to delete one of these access keys, and an on-premises instance is already using this access key as described in Step 4: Add a configuration file to the on-premises instance, you will need to follow the instructions in Step 4: Add a configuration file to the on-premises instance again to specify a different access key ID and secret access key associated with this IAM user. Otherwise, any deployments to that on-premises instance might be stuck in a perpetual pending state or fail altogether.

To get the credentials (console)
    1. Open the IAM console at https://console.aws.amazon.com/iam/.

    2. If the list of users is not displayed, in the navigation pane, choose Users.

    3. In the list of users, browse to and choose the name of the IAM user you created in Step 1: Create an IAM user for the on-premises instance.

  1. On the Security credentials tab, if no keys or only one key is listed, choose Create access key.

    If two access keys are listed, you must delete one of them. Choose Delete next to one of the access keys, and then choose Create access key.

    Important

    If you choose Delete next to one of these access keys, and an on-premises instance is already using this access key as described in Step 4: Add a configuration file to the on-premises instance, you will need to follow the instructions in Step 4: Add a configuration file to the on-premises instance again to specify a different access key ID and secret access key associated with this IAM user. Otherwise, deployments to that on-premises instance might be stuck in a perpetual pending state or fail altogether.

  2. Choose Show and note the access key ID and secret access key. You will need this information for the next step. Alternatively, you can choose Download .csv file to save a copy of the access key ID and the secret access key.

    Important

    Unless you make a note of or download the credentials, this will be the only time you will have access to this secret access key. If you forget or lose access to this secret access key, you will need to generate a new one by following the steps in Step 3: Get the IAM user credentials.

  3. Choose Close to return to the Users > IAM User Name page.

Step 4: Add a configuration file to the on-premises instance

Add a configuration file to the on-premises instance, using root or administrator permissions. This configuration file will be used to declare the IAM user credentials and the target AWS region to be used for CodeDeploy. The file must be added to a specific location on the on-premises instance. The file must include the IAM user's ARN, secret key ID, secret access key, and the target AWS region. The file must follow a specific format.

  1. Create a file named codedeploy.onpremises.yml (for an Ubuntu Server or RHEL on-premises instance) or conf.onpremises.yml (for a Windows Server on-premises instance) in the following location on the on-premises instance:

    • For Ubuntu Server: /etc/codedeploy-agent/conf

    • For Windows Server: C:\ProgramData\Amazon\CodeDeploy

  2. Use a text editor to add the following information to the newly created codedeploy.onpremises.yml or conf.onpremises.yml file:

    --- aws_access_key_id: secret-key-id aws_secret_access_key: secret-access-key iam_user_arn: iam-user-arn region: supported-region

    Where:

    Important

    If you chose Delete next to one of the access keys in Step 3: Get the IAM user credentials, and your on-premises instance is already using the associated access key ID and secret access key, you will need to follow the instructions in Step 4: Add a configuration file to the on-premises instance to specify a different access key ID and secret access key associated with this IAM user. Otherwise, any deployments to your on-premises instance might be stuck in a perpetual pending state or fail altogether.

Step 5: Install and configure the AWS CLI

Install and configure the AWS CLI on the on-premises instance. (The AWS CLI will be used in Step 7: Install the CodeDeploy agent to download and install the CodeDeploy agent on the on-premises instance.)

  1. To install the AWS CLI on the on-premises instance, follow the instructions in Getting set up with the AWS CLI in the AWS Command Line Interface User Guide.

    Note

    CodeDeploy commands for working with on-premises instances became available in version 1.7.19 of the AWS CLI. If you have a version of the AWS CLI already installed, you can check its version by calling aws --version.

  2. To configure the AWS CLI on the on-premises instance, follow the instructions in Configuring the AWS CLI in the AWS Command Line Interface User Guide.

    Important

    As you configure the AWS CLI (for example, by calling the aws configure command), be sure to specify the secret key ID and secret access key of an IAM user that has, at minimum, the following AWS access permissions in addition to the access permissions specified in the Prerequisites for configuring an on-premises instance. This makes it possible for you to download and install the CodeDeploy agent on the on-premises instance:

    { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "codedeploy:*" ], "Resource" : "*" }, { "Effect" : "Allow", "Action" : [ "s3:Get*", "s3:List*" ], "Resource" : [ "arn:aws:s3:::aws-codedeploy-us-east-2/*", "arn:aws:s3:::aws-codedeploy-us-east-1/*", "arn:aws:s3:::aws-codedeploy-us-west-1/*", "arn:aws:s3:::aws-codedeploy-us-west-2/*", "arn:aws:s3:::aws-codedeploy-ca-central-1/*", "arn:aws:s3:::aws-codedeploy-eu-west-1/*", "arn:aws:s3:::aws-codedeploy-eu-west-2/*", "arn:aws:s3:::aws-codedeploy-eu-west-3/*", "arn:aws:s3:::aws-codedeploy-eu-central-1/*", "arn:aws:s3:::aws-codedeploy-il-central-1/*", "arn:aws:s3:::aws-codedeploy-ap-east-1/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-1/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-2/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-1/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-2/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-4/*", "arn:aws:s3:::aws-codedeploy-ap-south-1/*", "arn:aws:s3:::aws-codedeploy-sa-east-1/*" ] } ] }

    These access permissions can be assigned to either the IAM user you created in Step 1: Create an IAM user for the on-premises instance or to a different IAM user. To assign these permissions to an IAM user, follow the instructions in Step 1: Create an IAM user for the on-premises instance, using these access permissions instead of the ones in that step.

Step 6: Set the AWS_REGION environment variable (Ubuntu Server and RHEL only)

If you are not running Ubuntu Server or RHEL on your on-premises instance, skip this step and go directly to Step 7: Install the CodeDeploy agent .

Install the CodeDeploy agent on an Ubuntu Server or RHEL on-premises instance and enable the instance to update the CodeDeploy agent whenever a new version becomes available. You do this by setting the AWS_REGION environment variable on the instance to the identifier of one of the regions supported by CodeDeploy. We recommend that you set the value to the region where your CodeDeploy applications, deployment groups, and application revisions are located (for example, us-west-2). For a list of regions, see Region and endpoints in the AWS General Reference.

To set the environment variable, call the following from the terminal:

export AWS_REGION=supported-region

Where supported-region is the region identifier (for example, us-west-2).

Step 7: Install the CodeDeploy agent

Install the CodeDeploy agent on the on-premises instance:

Step 8: Register the on-premises instance with CodeDeploy

The instructions in this step assume you are registering the on-premises instance from the on-premises instance itself. You can register an on-premises instance from a separate device or instance that has the AWS CLI installed and configured, as described in Step 5: Install and configure the AWS CLI.

Use the AWS CLI to register the on-premises instance with CodeDeploy so that it can be used in deployments.

  1. Before you can use the AWS CLI, you will need the user ARN of the IAM user you created in Step 1: Create an IAM user for the on-premises instance. If you don't already have the user ARN, call the get-user command, specifying the name of the IAM user (with the --user-name option) and querying for just the user ARN (with the --query and --output options):

    aws iam get-user --user-name CodeDeployUser-OnPrem --query "User.Arn" --output text
  2. Call the register-on-premises-instance command, specifying:

    • A name that uniquely identifies the on-premises instance (with the --instance-name option).

      Important

      To help identify the on-premises instance, especially for debugging purposes, we strongly recommend that you specify a name that maps to some unique characteristic of the on-premises instance (for example, the serial number or an internal asset identifier, if applicable). If you specify a MAC address as a name, be aware that MAC addresses contain characters that CodeDeploy does not allow, such as colon (:). For a list of allowed characters, see CodeDeploy quotas.

    • The user ARN of the IAM user you created in Step 1: Create an IAM user for the on-premises instance (with the --iam-user-arn option).

      For example:

      aws deploy register-on-premises-instance --instance-name AssetTag12010298EX --iam-user-arn arn:aws:iam::444455556666:user/CodeDeployUser-OnPrem

Step 9: Tag the on-premises instance

You can use either the AWS CLI or the CodeDeploy console to tag the on-premises instance. (CodeDeploy uses on-premises instance tags to identify the deployment targets during a deployment.)

To tag the on-premises instance (CLI)
  • Call the add-tags-to-on-premises-instances command, specifying:

    • The name that uniquely identifies the on-premises instance (with the --instance-names option).

    • The name of the on-premises instance tag key and tag value you want to use (with the --tags option). You must specify both a name and value. CodeDeploy does not allow on-premises instance tags that have values only.

      For example:

      aws deploy add-tags-to-on-premises-instances --instance-names AssetTag12010298EX --tags Key=Name,Value=CodeDeployDemo-OnPrem
To tag the on-premises instance (console)
  1. Sign in to the AWS Management Console and open the CodeDeploy console at https://console.aws.amazon.com/codedeploy.

    Note

    Sign in with the same user that you set up in Getting started with CodeDeploy.

  2. From the CodeDeploy menu, choose On-premises instances.

  3. In the list of on-premises instances, choose the arrow next to the on-premises instance you want to tag.

  4. In the list of tags, select or enter the desired tag key and tag value. After you enter the tag key and tag value, another row appears. You can repeat this for up to 10 tags. To remove a tag, choose the delete icon ( The delete icon. ).

  5. After you have added tags, choose Update Tags.

Step 10: Deploy application revisions to the on-premises instance

You are now ready to deploy application revisions to the registered and tagged on-premises instance.

You deploy application revisions to on-premises instances in a way that's similar to deploying application revisions to Amazon EC2 instances. For instructions, see Create a deployment with CodeDeploy. These instructions include a link to prerequisites, including creating an application, creating a deployment group, and preparing an application revision. If you need a simple sample application revision to deploy, you can create the one described in Step 2: Create a sample application revision in the Tutorial: Deploy an application to an on-premises instance with CodeDeploy (Windows Server, Ubuntu Server, or Red Hat Enterprise Linux).

Important

If you reuse a CodeDeploy service role as part of creating a deployment group that targets on-premises instances, you must include Tag:get* to the Action portion of the service role's policy statement. For more information, see Step 2: Create a service role for CodeDeploy.

Step 11: Track deployments to the on-premises instance

After you deploy an application revision to registered and tagged on-premises instances, you can track the deployment's progress.

You track deployments to on-premises instances in a way that's similar to tracking deployments to Amazon EC2 instances. For instructions, see View CodeDeploy deployment details .