Step 3: Provision an IAM user - Amazon CodeDeploy
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Step 3: Provision an IAM user

Follow these instructions to prepare an IAM user to use CodeDeploy:

  1. Create an IAM user or use one associated with your Amazon account. For more information, see Creating an IAM user in IAM User Guide.

  2. Grant the IAM user access to CodeDeploy—and Amazon services and actions CodeDeploy depends on—by copying the following policy and attaching it to the IAM user:

    { "Version": "2012-10-17", "Statement": [ { "Sid": "CodeDeployAccessPolicy", "Effect": "Allow", "Action": [ "autoscaling:*", "codedeploy:*", "ec2:*", "lambda:*", "ecs:*", "elasticloadbalancing:*", "iam:AddRoleToInstanceProfile", "iam:AttachRolePolicy", "iam:CreateInstanceProfile", "iam:CreateRole", "iam:DeleteInstanceProfile", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:GetInstanceProfile", "iam:GetRole", "iam:GetRolePolicy", "iam:ListInstanceProfilesForRole", "iam:ListRolePolicies", "iam:ListRoles", "iam:PutRolePolicy", "iam:RemoveRoleFromInstanceProfile", "s3:*", "ssm:*" ], "Resource": "*" }, { "Sid": "CodeDeployRolePolicy", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::account-ID:role/CodeDeployServiceRole" } ] }

    In the preceding policy, replace arn:aws:iam::account-ID:role/CodeDeployServiceRole with the ARN value of the CodeDeploy service role that you created in Step 2: Create a service role for CodeDeploy. You can find the ARN value in the details page of the service role in the IAM console.

    The preceding policy grants the IAM user the access required to deploy an Amazon Lambda compute platform, an EC2/On-Premises compute platform, and an Amazon ECS compute platform.

    To learn how to attach a policy to an IAM user, see Working with policies. To learn how to restrict users to a limited set of CodeDeploy actions and resources, see Identity and access management for Amazon CodeDeploy.

    You can use the Amazon CloudFormation templates provided in this documentation to launch Amazon EC2 instances that are compatible with CodeDeploy. To use Amazon CloudFormation templates to create applications, deployment groups, or deployment configurations, you must grant the IAM user access to Amazon CloudFormation—and Amazon services and actions that Amazon CloudFormation depends on—by attaching an additional policy to the IAM user:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:*" ], "Resource": "*" } ] }

    For information about other Amazon services listed in these statements, see: