Movatterモバイル変換

[0]ホーム
URL:

Step 2: Create a service role for CodeDeploy - AWS CodeDeploy
DocumentationAWS CodeDeployUser Guide
Create a service role (console)Create a service role (CLI)Get the service role ARN (console)Get the service role ARN (CLI)

Step 2: Create a service role for CodeDeploy

In AWS, service roles are used to grant permissions to an AWS service so it can access AWS resources. The policies that you attach to the service role determine which resources the service can access and what it can do with those resources.

The service role you create for CodeDeploy must be granted the permissions required for your compute platform. If you deploy to more than one compute platform, create one service role for each. To add permissions, attach one or more of the following AWS supplied policies:

For EC2/On-Premises deployments, attach theAWSCodeDeployRole policy. It provides the permissions for your service role to:

For Amazon ECS deployments, if you want full access to support services, attach theAWSCodeDeployRoleForECS policy. It provides the permissions for your service role to:

  • Read, update, and delete Amazon ECS task sets.

  • Update Elastic Load Balancing target groups, listeners, and rules.

  • Invoke AWS Lambda functions.

  • Access revision files in Amazon S3 buckets.

  • Retrieve information about CloudWatch alarms.

  • Publish information to Amazon SNS topics.

For Amazon ECS deployments, if you want limited access to support services, attach theAWSCodeDeployRoleForECSLimited policy. It provides the permissions for your service role to:

  • Read, update, and delete Amazon ECS task sets.

  • Retrieve information about CloudWatch alarms.

  • Publish information to Amazon SNS topics.

For AWS Lambda deployments, if you want to allow publishing to Amazon SNS, attach theAWSCodeDeployRoleForLambda policy. It provides the permissions for your service role to:

  • Read, update, and invoke AWS Lambda functions and aliases.

  • Access revision files in Amazon S3 buckets.

  • Retrieve information about CloudWatch alarms.

  • Publish information to Amazon SNS topics.

For AWS Lambda deployments, if you want to limit access to Amazon SNS, attach theAWSCodeDeployRoleForLambdaLimited policy. It provides the permissions for your service role to:

  • Read, update, and invoke AWS Lambda functions and aliases.

  • Access revision files in Amazon S3 buckets.

  • Retrieve information about CloudWatch alarms.

As part of setting up the service role, you also update its trust relationship to specify the endpoints to which you want to grant it access.

You can create a service role with the IAM console, the AWS CLI, or the IAM APIs.

Create a service role (console)

  1. Sign in to the AWS Management Console and open the IAM console athttps://console.aws.amazon.com/iam/.

  2. In the navigation pane, chooseRoles, and then chooseCreate role.

  3. ChooseAWS service, and underUse case, from the drop-down list, chooseCodeDeploy.

  4. Choose your use case:

    • For EC2/On-Premises deployments, chooseCodeDeploy.

    • For AWS Lambda deployments, chooseCodeDeploy for Lambda.

    • For Amazon ECS deployments, chooseCodeDeploy - ECS.

  5. ChooseNext.

  6. On theAdd permissions page, the correct permissions policy for the use case is displayed. ChooseNext.

  7. On theName, review, and create page, inRole name, enter a name for the service role (for example,CodeDeployServiceRole), and then chooseCreate role.

    You can also enter a description for this service role inRole description.

  8. If you want this service role to have permission to access all currently supported endpoints, you are finished with this procedure.

    To restrict this service role from access to some endpoints, continue with the remaining steps in this procedure.

  9. In the list of roles, search for and choose the role you just created (CodeDeployServiceRole).

  10. Choose theTrust relationships tab.

  11. ChooseEdit trust policy.

    You should see the following policy, which provides the service role permission to access all supported endpoints:

    {    "Version": "2012-10-17",    "Statement": [{            "Sid": "",            "Effect": "Allow",            "Principal":{                "Service": [                    "codedeploy.amazonaws.com"                ]            },            "Action": "sts:AssumeRole"        }    ]}

    To grant the service role access to only some supported endpoints, replace the contents of the trust policy text box with the following policy. Remove the lines for the endpoints you want to prevent access to, and then chooseUpdate policy.

    {    "Version": "2012-10-17",    "Statement": [{            "Sid": "",            "Effect": "Allow",            "Principal":{                "Service": [                                        "codedeploy.us-east-1.amazonaws.com",                    "codedeploy.us-east-2.amazonaws.com",                    "codedeploy.us-west-1.amazonaws.com",                    "codedeploy.us-west-2.amazonaws.com",                    "codedeploy.ca-central-1.amazonaws.com",                    "codedeploy.ap-east-1.amazonaws.com",                                      "codedeploy.ap-northeast-1.amazonaws.com",                    "codedeploy.ap-northeast-2.amazonaws.com",                    "codedeploy.ap-northeast-3.amazonaws.com",                    "codedeploy.ap-southeast-1.amazonaws.com",                    "codedeploy.ap-southeast-2.amazonaws.com",                    "codedeploy.ap-southeast-3.amazonaws.com",                    "codedeploy.ap-southeast-4.amazonaws.com",                    "codedeploy.ap-south-1.amazonaws.com",                    "codedeploy.ap-south-2.amazonaws.com",                    "codedeploy.ca-central-1.amazonaws.com",                    "codedeploy.eu-west-1.amazonaws.com",                    "codedeploy.eu-west-2.amazonaws.com",                    "codedeploy.eu-west-3.amazonaws.com",                    "codedeploy.eu-central-1.amazonaws.com",                    "codedeploy.eu-central-2.amazonaws.com",                    "codedeploy.eu-north-1.amazonaws.com",                    "codedeploy.eu-south-1.amazonaws.com",                    "codedeploy.eu-south-2.amazonaws.com",                    "codedeploy.il-central-1.amazonaws.com",                    "codedeploy.me-central-1.amazonaws.com",                    "codedeploy.me-south-1.amazonaws.com",                    "codedeploy.sa-east-1.amazonaws.com"                ]            },            "Action": "sts:AssumeRole"        }    ]}

For more information about creating service roles, seeCreating a role to delegate permissions to an AWS service in theIAM User Guide.

Create a service role (CLI)

  1. On your development machine, create a text file named, for example,CodeDeployDemo-Trust.json. This file is used to allow CodeDeploy to work on your behalf.

    Do one of the following:

  2. From the same directory, call thecreate-role command to create a service role namedCodeDeployServiceRole based on the information in the text file you just created:

    aws iam create-role --role-name CodeDeployServiceRole --assume-role-policy-document file://CodeDeployDemo-Trust.json

    In the command's output, make a note of the value of theArn entry under theRole object. You need it later when you create deployment groups. If you forget the value, follow the instructions inGet the service role ARN (CLI).

  3. The managed policy you use depends on the compute platform.

For more information about creating service roles, seeCreating a role for an AWS service in theIAM User Guide.

Get the service role ARN (console)

To use the IAM console to get the ARN of the service role:

  1. Sign in to the AWS Management Console and open the IAM console athttps://console.aws.amazon.com/iam/.

  2. In the navigation pane, chooseRoles.

  3. In theFilter box, typeCodeDeployServiceRole, and then press Enter.

  4. ChooseCodeDeployServiceRole.

  5. Make a note of the value of theRole ARN field.

Get the service role ARN (CLI)

To use the AWS CLI to get the ARN of the service role, call theget-role command against the service role namedCodeDeployServiceRole:

aws iam get-role --role-name CodeDeployServiceRole --query "Role.Arn" --output text

The value returned is the ARN of the service role.

Step 1: Setting up
Step 3: Limit the CodeDeploy user's permissions
[8]ページ先頭
©2009-2025 Movatter.jp