0

I am trying to setup code deployment using aws, but when I try to perform deployment, I am getting this error:

2016-06-08 23:57:11 ERROR [codedeploy-agent(1207)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Cannot reach InstanceService: Aws::CodeDeployCommand::Errors::AccessDeniedException -
2016-06-08 23:58:41 INFO  [codedeploy-agent(1207)]: Version file found in /opt/codedeploy-agent/.version.
2016-06-08 23:58:41 INFO  [codedeploy-agent(1207)]: [Aws::CodeDeployCommand::Client 400 0.055741 0 retries] poll_host_command(host_identifier:"IAM-user-ARN") Aws::CodeDeployCommand::Errors::AccessDeniedException

I have two IAM roles - one for EC2 instance, and one for deployment app. S3 bucket have permission set for iam role which is used for deployment:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "XXXXXXXX:role/TestRole"
            },
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "arn:aws:s3:::pmcdeploy/*"
        }
    ]
}

What is going on?

Improve this question

4 Answers 4

Reset to default
1

Is the error consistent? On looking at the agent code, it seems like the agent might having trouble talking to EC2. If this is a persistent problem, you can share the EC2 instance profile.

Also starting the agent with verbose option enabled gives a lot more information about what's going on.

Thanks

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

This is actually something related to the order of credential loading. The host agent is running with root user by default and also uses instance profile.

The exception is got when you've setup a root credential which has priority over instance profile according to: http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#config-settings-and-precedence

Then the aws sdk used by host agent will use the credential configured for the root user instead of instance profile to configure the requests.

One of the workaround would be run the agent with a different user and don't configure any credential for that user.

Improve this answer

Comments

1

I deleted /home/ubuntu/.aws and rebooted codedeploy agent service and it worked for me :-)

Improve this answer

Comments

0

We had what I think the same issue. Our systems had a /root/.aws/credentials in place which CodeDeploy absolutely uses and I found no way of telling it to not do that. Especially no documentation...

In the end, we rewrote everything on our end to ensure we'll no longer need a credentials file in place. From that moment on, CodeDeploy used the instance profile and it was working fine.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.