Deploy an application in a different Amazon account - Amazon CodeDeploy
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Deploy an application in a different Amazon account

Organizations commonly have multiple Amazon accounts that they use for different purposes (for example, one for system administration tasks and another for development, test, and production tasks or one associated with development and test environments and another associated with the production environment).

Although you might perform related work in different accounts, CodeDeploy deployment groups and the Amazon EC2 instances to which they deploy are strictly tied to the accounts under which they were created. You cannot, for example, add an instance that you launched in one account to a deployment group in another.

Assume you have two Amazon accounts: your development account and your production account. You work primarily in the development account, but you want to be able kick off deployments in your production account without a full set of credentials there or without having to sign out of the development account and in to the production account.

After following the cross-account configuration steps, you can initiate deployments that belong to another of your organization’s accounts without needing a full set of credentials for that other account. You do this, in part, by using a capability provided by the Amazon Security Token Service (Amazon STS) that grants you temporary access to that account.

Step 1: Create an S3 bucket in either account

In either the development account or the production account:

  • If you have not already done so, create an Amazon S3 bucket where the application revisions for the production account will be stored. For information, see Create a Bucket in Amazon S3. You can even use the same bucket and application revisions for both accounts, deploying the same files to your production environment that you tested and verified in your development account.

Step 2: Grant Amazon S3 bucket permissions to the production account's IAM instance profile

If the Amazon S3 bucket you created in step 1 is in your production account, this step is not required. The role you assume later will already have access to this bucket because it is also in the production account.

If you created the Amazon S3 bucket in the development account, do the following:

  • In the production account, create an IAM instance profile. For information, see Step 4: Create an IAM instance profile for your Amazon EC2 instances.

    Note

    Make note of the ARN for this IAM instance profile. You will need to add it to the cross-bucket policy you create next.

  • In the development account, give access to the Amazon S3 bucket you created in the development account to the IAM instance profile you just created in your production account. For information, see Example 2: Bucket owner granting cross-account bucket permissions.

    Note the following as you complete the process of granting cross-account bucket permissions:

    • In the sample walkthrough, Account A represents your development account and Account B represents your production account.

    • When you perform the Account A (development account) tasks, modify the following bucket policy to grant cross-account permissions instead of using the sample policy provided in the walkthrough.

      { "Version": "2012-10-17", "Statement": [ { "Sid": "Cross-account permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws-cn:iam::account-id:role/role-name" }, "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws-cn:s3:::bucket-name/*" ] } ] }

      account-id represents the account number of the production account where you just created the IAM instance profile.

      role-name represents the name of the IAM instance profile you just created.

      bucket-name represents the name of the bucket you created in step 1. Be sure to include the /* after the name of your bucket to provide access to each of the files inside the bucket.

Step 3: Create resources and a cross-account role in the production account

In your production account:

  • Create your CodeDeploy resources — application, deployment group, deployment configuration, Amazon EC2 instances, Amazon EC2 instance profile, service role, and so on — using the instructions in this guide.

  • Create an additional role, a cross-account IAM role, that a user in your development account can assume to perform CodeDeploy operations in this production account.

    Use the Walkthrough: Delegate access across Amazon accounts using IAM roles as a guide to help you create the cross-account role. Instead of adding the sample permissions in the walkthrough to your policy document, you should attach, at minimum, the following two Amazon supplied policies to the role:

    • AmazonS3FullAccess: Required only if the S3 bucket is in the development account. Provides the assumed production account role with full access to the Amazon S3 services and resources in the development account, where the revision is stored.

    • AWSCodeDeployDeployerAccess: Enables a user to register and deploy revisions.

    If you want to create and manage deployment groups and not just initiate deployments, add the AWSCodeDeployFullAccess policy instead of the AWSCodeDeployDeployerAccess policy. For more information about using IAM managed policies to grant permissions for CodeDeploy tasks, see Amazon managed (predefined) policies for CodeDeploy.

    You can attach additional policies if you want to perform tasks in other Amazon services while using this cross-account role.

Important

As you create the cross-account IAM role, make a note of the details you will need to gain access to the production account.

To use the Amazon Web Services Management Console to switch roles, you will need to supply either of the following:

  • A URL for accessing the production account with the assumed role's credentials. You will find the URL on the Review page, which is displayed at the end of the cross-account role creation process.

  • The name of the cross-account role and either the account ID number or alias.

To use the Amazon CLI to switch roles, you will need to supply the following:

  • The ARN of the cross-account role you will assume.

Step 4: Upload the application revision to Amazon S3 bucket

In the account in which you created the Amazon S3 bucket:

Step 5: Assume the cross-account role and deploy applications

In the development account, you can use the Amazon CLI or the Amazon Web Services Management Console to assume the cross-account role and initiate the deployment in the production account.

For instructions about how to use the Amazon Web Services Management Console to switch roles and initiate deployments, see Switching to a role (Amazon Web Services Management Console) and Create an EC2/On-Premises Compute Platform deployment (console).

For instructions about how to use the Amazon CLI to assume the cross-account role and initiate deployments, see Switching to an IAM role (Amazon Command Line Interface) and Create an EC2/On-Premises Compute Platform deployment (CLI).

For more information about assuming a role through Amazon STS, see AssumeRole in the Amazon Security Token Service User Guide and assume-role in the Amazon CLI Command Reference.

Related topic: