I am trying to implement CI/CD using AWS CodeBuild, and trying to deploy an application onto an AWS EC2 instance, but the code deployment is failing and showing the error below:
The IAM role arn:aws:iam::341502448925:role/CodeDeployServiceRole does not give you permission to perform operations in the following AWS service: AmazonEC2
I have even created service role in the IAM console but it's not working for me. Someone let me know how can I resolve this issue.
Except for creating an IAM role you should also install aws codedeploy agent on your ec2 instance:
install aws-codedeploy agent
Related
I am trying to setup an ec2 instance (A role is associate with this instance).
This instance is responsible to
Create build, and upload to s3 bucket
Create a new application version from this build for elasticbeanstalk
Deploy newly created version on beanstalk
I am running following 3 commands. first 2 are executed successfully.
aws s3 cp api-service-build.zip s3://build-bucket/api-service/2022-11-2022.zip
aws elasticbeanstalk create-application-version
--application-name api-service-stage
--version-label v5
--description "Version 5"
--source-bundle S3Bucket="build-bucket",S3Key="api-service/2022-11-2022.zip"
but when I try to run third command its unable to deploy (please note on CLI its not failing)
aws elasticbeanstalk update-environment
--environment-name api-service-stage-env
--version-label v5
On beanstalk web console I can see following error
User: arn:aws:sts::xxxxxxxxx:assumed-role/MyAssumedRole/i-xxxxxx is not authorized to perform: autoscaling:DescribeAutoScalingGroups because no identity-based policy allows the autoscaling:DescribeAutoScalingGroups action (Service: AmazonAutoScaling; Status Code: 403; Error Code: AccessDenied;
I have updated my policy more than 30 times, to reach to above point, and yet another permission error.
Is there a way or a tool, where I paste my command and it tells me what permissions are required to run this command
aws s3 cp
aws elasticbeanstalk create-application-version
aws elasticbeanstalk update-environment
Permission I have added so far in MyAssumedRoles are as follows, I have added these with lots of hit and tries and yet its asking about another one autoscaling.
S3 Full access
Elastic Beanstalk full access
CloudFormation full access
Based on the error you are missing the AutoScaling permissions. They are different from the ones that you have already added. The best way to test is to use the AWS Policy Simulator. Follow the steps below :
Login to the AWS Console.
Go to the following URL : https://policysim.aws.amazon.com
Under User, Groups & Roles : Select Roles and then the role : MyAssumedRole
You can test the access on the right by selecting the action e.g. under Policy Simulator, select Auto Scaling and then action - DescribeScalingPlans. Policy Simulator will give you the exact policy you need to add for your role.
When creating specific role/policy to assume for some pipelines which execute aws cli commands. So my questions is, are there any way to figure out which permissions are required to execute some aws cli commands?
For example, which permissions are required to be part of the role to perform an Elastic Beanstalk environment update with aws elasticbeanstalk update-environment?
You can try using iamlive, which allows you to generate IAM policies from AWS calls.
I have single ec2 instance running on ubuntu server and I am trying to implement CI/CD flow using codedeploy and source is bit-bucket.I jave also installed codedeploy-agent on ec2 instance and it is installed and running successfully but whenever I am deploying code on ec2 deployment is failing with an error shown below:
The overall deployment failed because too many individual instances failed deployment, too few
healthy instances are available for deployment, or some instances in your deployment group are
experiencing problems.
In the CodeDeploy agent log file that I am accessing using less /var/log/aws/codedeploy-agent/codedeploy-agent.log showing below error:
ERROR [codedeploy-agent(31598)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller:
Missing credentials - please check if this instance was started with an IAM instance profile
I am unable to understand how can I overcome this error someone let me know.
CodeDeploy agent requires IAM permissions provided by IAM role/profile of your instance. The exact permissions needed are given in AWS docs:
Step 4: Create an IAM instance profile for your Amazon EC2 instances
Say I use aws-cli locally on my machine, I´d need to authenticate with credentials prior to any operation.
How do AWS services give permission to other services on my behalf? And more specifically, how does a container run aws-cli on my behalf without prior authentication?
I am asking this, after running my first pipeline successfully in codePipeline. My buildspec.yml does run aws s3 sync command flawlessly -which made me then wonder how do aws internally permissions work-.
AWS CodeBuild uses an IAM Service Role to provide AWS permissions to the CodeBuild environment. You should have had to create a service role for your CodeBuild configuration.
When the AWS cli tool runs, and it hasn't been previously configured with API access keys, it will check if it is running in an AWS environment like EC2 or Lambda and if so, it will use the AWS IAM role assigned to that runtime environment.
I'm using Jenkins Pipeline and Packer to create AMI inside an AWS Account.
The Jenkins uses Kubernetes cluster as slave (using a cloud plugin that allows me to parameter docker pods template),
I have a pipeline that pull git project with the packer template in it and run packer validate command which is a success. Than, it runs packer build and i get the following error:
[1;31mBuild 'Amazon Linux 2 Classic' errored: No valid credential sources found for AWS Builder. Please see https://www.packer.io/docs/builders/amazon.html#specifying-amazon-credentials for more information on providing credentials for the AWS Builder.[0m
I also use Kube2iam to provide roles on my slave containers.
In my packer template, i don't define any aws credentials since I don't want to use it but role. Do you know if I have something to do inside the packer template to indicate the role to use ?
Best Regards,
Tony.
From what I understand, you are running Jenkins inside a Kubernetes cluster running on AWS EC2 instances? If so, the Jenkins agents running the build should be able to read available roles from the metadata of the instance they're running on.
In this case, the process would be to assign the desire IAM role to instances and Kubernetes should be able to handle that.