Step 3: Limit the CodeDeploy user's permissions
For security reasons, we recommend that you limit the permissions of the administrative user that you created in Step 1: Setting up to just those required to create and manage deployments in CodeDeploy.
Use the following series of procedures to limit the CodeDeploy administrative user's permissions.
Before you begin
-
Make sure you have created a CodeDeploy administrative user in IAM Identity Center following the instructions in Step 1: Setting up.
To create a permission set
You'll assign this permission set to the CodeDeploy administrative user later.
Sign in to the Amazon Web Services Management Console and open the Amazon IAM Identity Center console at https://console.amazonaws.cn/singlesignon/
. -
In the navigation pane, choose Permission sets, and then choose Create permission set.
-
Choose Custom permission set.
-
Choose Next.
-
Choose Inline policy.
-
Remove the sample code.
-
Add the following policy code:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CodeDeployAccessPolicy", "Effect": "Allow", "Action": [ "autoscaling:*", "codedeploy:*", "ec2:*", "lambda:*", "ecs:*", "elasticloadbalancing:*", "iam:AddRoleToInstanceProfile", "iam:AttachRolePolicy", "iam:CreateInstanceProfile", "iam:CreateRole", "iam:DeleteInstanceProfile", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:GetInstanceProfile", "iam:GetRole", "iam:GetRolePolicy", "iam:ListInstanceProfilesForRole", "iam:ListRolePolicies", "iam:ListRoles", "iam:PutRolePolicy", "iam:RemoveRoleFromInstanceProfile", "s3:*", "ssm:*" ], "Resource": "*" }, { "Sid": "CodeDeployRolePolicy", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "
arn:aws:iam::account-ID:role/CodeDeployServiceRole
" } ] }In this policy, replace
arn:aws:iam::account-ID:role/CodeDeployServiceRole
with the ARN value of the CodeDeploy service role that you created in Step 2: Create a service role for CodeDeploy. You can find the ARN value in the details page of the service role in the IAM console.The preceding policy lets you deploy an application to an Amazon Lambda compute platform, an EC2/On-Premises compute platform, and an Amazon ECS compute platform.
You can use the Amazon CloudFormation templates provided in this documentation to launch Amazon EC2 instances that are compatible with CodeDeploy. To use Amazon CloudFormation templates to create applications, deployment groups, or deployment configurations, you must provide access to Amazon CloudFormation—and Amazon services and actions that Amazon CloudFormation depends on—by adding the
cloudformation:*
permission to the CodeDeploy administrative user's permission policy, like this:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ ... "cloudformation:*" ], "Resource": "*" } ] }
-
Choose Next.
-
In Permission set name, enter:
CodeDeployUserPermissionSet
-
Choose Next.
-
On the Review and create page, review the information and choose Create.
To assign the permission set to the CodeDeploy administrative user
-
In the navigation pane, choose Amazon Web Services accounts, and then select the check box next to the Amazon Web Services account that you're currently signed in to.
-
Choose the Assign users or groups button.
-
Choose the Users tab.
-
Select the check box next to the CodeDeploy administrative user.
-
Choose Next.
-
Select the check box next to
CodeDeployUserPermissionSet
. -
Choose Next.
-
Review the information and choose Submit.
You have now assigned the CodeDeploy administrative user and
CodeDeployUserPermissionSet
to your Amazon Web Services account, binding them together.
To sign out and sign back in as the CodeDeploy administrative user
-
Before you sign out, make sure you have the Amazon access portal URL and the username and one-time password for the CodeDeploy adminstrative user.
Note
If you do not have this information, go to the CodeDeploy adminstrative user details page in IAM Identity Center, choose Reset password, Generate a one-time password [...], and Reset password again to display the information on the screen.
-
Sign out of Amazon.
-
Paste the Amazon access portal URL into your browser's address bar.
-
Sign in as the CodeDeploy adminstrative user.
An Amazon Web Services account box appears on the screen.
-
Choose Amazon Web Services account, and then choose the name of the Amazon Web Services account to which you assigned the CodeDeploy adminstrative user and permission set.
-
Next to the
CodeDeployUserPermissionSet
, choose Management console.The Amazon Web Services Management Console appears. You are now signed in as the CodeDeploy adminstrative user with the limited permissions. You can now perform CodeDeploy-related operations, and only CodeDeploy-related operations, as this user.