Create the CodePipeline service role (CLI)
Before you create a pipeline with the AWS CLI or AWS CloudFormation, you must create a CodePipeline service role for your pipeline and attach the service role policy and the trust policy. To use the CLI to create your service role, use the steps below to first create a trust policy JSON and the role policy JSON as separate files in the directory where you will run the CLI commands.
Note
We recommend that you allow only administrative users to create any service role. A person with permissions to create a role and attach any policy can escalate their own permissions. Instead, create a policy that allows them to create only the roles that they need or have an administrator create the service role on their behalf.
-
In a terminal window, enter the following command to create a file named
TrustPolicy.json, where you will paste the role policy JSON. This example uses VIM.vim TrustPolicy.json -
Paste the following JSON into the file.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }To save and exit the file, enter the following VIM command:
:wq -
In a terminal window, enter the following command to create a file named
RolePolicy.json, where you will paste the role policy JSON. This example uses VIM.vim RolePolicy.json -
Paste the following JSON into the file. Make sure to scope down permissions as much as possible by adding the Amazon Resource Name (ARN) for your pipeline in the policy statement
Resourcefield.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:CancelUploadArchive", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:GetUploadArchiveStatus", "codecommit:UploadArchive" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "codedeploy:CreateDeployment", "codedeploy:GetApplicationRevision", "codedeploy:GetDeployment", "codedeploy:GetDeploymentConfig", "codedeploy:RegisterApplicationRevision" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "devicefarm:ListProjects", "devicefarm:ListDevicePools", "devicefarm:GetRun", "devicefarm:GetUpload", "devicefarm:CreateUpload", "devicefarm:ScheduleRun" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "lambda:InvokeFunction", "lambda:ListFunctions" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticbeanstalk:*", "ec2:*", "elasticloadbalancing:*", "autoscaling:*", "cloudwatch:*", "s3:*", "sns:*", "cloudformation:*", "rds:*", "sqs:*", "ecs:*" ], "Resource": "resource_ARN" } ] }To save and exit the file, enter the following VIM command:
:wq -
Enter the following command to create the role and attach the trust role policy. The policy name format is normally the same as the role name format. This examples uses the role name
MyRoleand the policyTrustPolicythat was created as a separate file.aws iam create-role --role-name MyRole --assume-role-policy-document file://TrustPolicy.json -
Enter the following command to create the role policy and attach it to the role. The policy name format is normally the same as the role name format. This examples uses the role name
MyRoleand the policyMyRolethat was created as a separate file.aws iam put-role-policy --role-name MyRole --policy-name RolePolicy --policy-document file://RolePolicy.json -
To view the created role name and trust policy, enter the following command for the role named
MyRole:aws iam get-role --role-name MyRole -
Use the service role ARN when you create your pipeline with the AWS CLI or AWS CloudFormation.
