Why is AWS CodeDeploy giving me an AccessDeniedException from an account with administrator privileges

amazon-web-servicesaws-clideployment

I'm trying to create a deployment group in AWS from the CLI and I'm getting the following error:

An error occurred (AccessDeniedException) when calling the CreateDeploymentGroup
operation: User: <redacted> is not authorized to perform: iam:PassRole on 
resource: arn:aws:codedeploy:us-east-1:<redacted>:<redacted>

The user account I'm doing this from has the AdministratorAccess permission, so I'm stumped as to why the account isn't authorized to do this. How can I fix this?

Best Answer

You need to setup "Trust relationships" so that CodeDeploy has the privelege to assume the role.

In this link start with step 8 and review your configuration.

CodeDeploy Trust relationships

Related Solutions

AWS RDS CLI: AccessDenied on CreateDBSnapshot

It is indeed strange, but it appears that the CreateDBSnapshot permission also has to be assigned to the destination snapshot.

This policy works:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmtxxxxxxxxxxxxxx",
            "Effect": "Allow",
            "Action": [
                "rds:CreateDBSnapshot"
            ],
            "Resource": [
                "arn:aws:rds:eu-west-1:xxxxxxxxxxxxxx:db:my-database",
                "arn:aws:rds:eu-west-1:xxxxxxxxxxxxxx:snapshot:*"
            ]
        }
    ]
}

Access Denied when calling the CreateInvalidation operation on AWS CLI

IAM Policies do not allow restriction of access to specific CloudFront distributions. The solution is to use a wildcard for the resource, instead of only referencing a specific CloudFront resource. Adding that to your IAM policy will fix the issue you're having.

Here is an example of that in a working IAM policy:

{
  "Statement": [  
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudfront:CreateInvalidation",
        "cloudfront:GetInvalidation",
        "cloudfront:ListInvalidations"
      ],
      "Resource": "*"
    }
  ]
}

Docs:

Best Answer

Related Solutions

AWS RDS CLI: AccessDenied on CreateDBSnapshot

Access Denied when calling the CreateInvalidation operation on AWS CLI

Related Topic