While working on migrating our CodeDeploys to Blue/Green deployments, I ran into a bug with AWS CodeDeploy. Specificaly, we are using LaunchTemplates with our AutoScaling groups.
With this setup, we'd get this not so helpful error:
The IAM role arn:aws:iam::XXXXXXXXXX:role/CodeDeployRole does not give you permission to perform operations in the following AWS service: AmazonAutoScaling. Contact your AWS administrator if you need help. If you are an AWS administrator, you can grant permissions to your users or groups by creating IAM policies.
A few google search later it seems that other are seeing this issue, and no one has figured out how to fix it. I though all how was lost at first, but then in talking with my co-workers, we decied to file a Feature Request Ticket with AWS.
This is what AWS Support came back with:
Hello,
Thank you for contacting Amazon Web Services Support. I understand that you are running into issues when using an AutoScaling Group (ASG) with a launch template for your CodeDeploy Blue/Green deployments. To clarify, launch templates are supported with Blue/Green deployments; however, there are additional permissions that are needed for the CodeDeploy role in order for this feature to work. When using launch templates the role must have the following permissions added:
- ec2:RunInstance
- ec2:CreateTags
- iam:PassRole
Currently, this information is missing from the AWS CodeDeploy documentation; there is an open feature request to update the documentation as well as to add these required permissions to the managed CodeDeploy policy so that users will not need to manually add these permissions. At the moment, this feature is still being reviewed so I do not have any timeline or ETA for this but at the very least, the documentation will be updated to reflect the extra permissions required for using launch templates.
With this new bit of information, I created a new policy and attached it to our existing CodeDeploy role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"ec2:CreateTags",
"ec2:RunInstances"
],
"Resource": "*"
}
]
}
Then I went over to CodeDeploy and trigged a deploy to the Blue/Green Deploment group, and Success!