search

aws / aws-codedeploy-agent

Host Agent for AWS CodeDeploy
https://aws.amazon.com/codedeploy
Apache License 2.0
328 stars 188 forks source link

On-premises Instance not Recognized by CodeDeploy #150

Closed Otto45 closed 6 years ago

Otto45 commented 6 years ago

I'm trying to get CodeDeploy setup with an on premise instance (Raspberry Pi running Raspbian), and I've followed all the steps from this page. Notice that I'm using the IAM Session ARN route to authenticate my device, so I can ultimately use the same user for all devices and have them assume the role they need. My issue is that after setting everything up, I can see my device as registered under the On-premises instances section of CodeDeploy, but when I go to create an application and deployment group, my instance does not pop up when I put in the tag I have assigned to it. I confirmed this is not a UI glitch because my sample deployment from S3 fails. At this point I'm stuck, any help would be appreciated.

Here is how I have everything set up:

I can generate the temporary credentials from STS with the aws-codedeploy-session-helper tool with this command: get_sts_creds --role-arn arn:aws:iam::{MY_ACCOUNT_ID}:role/RoleToAssume --region us-east-2 --session-name-override TestSession --file /home/pi/assumed_role_temp_creds

The policy attached to the user used to run the above command:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

The RoleToAssume permissions policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "codedeploy:*"
            ],
            "Resource": "*"
        }
    ]
}

The RoleToAssume Trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::{MY_ACCOUNT_ID}:user/UserToAssumeRole"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

The CodeDeploy agent is running on my device, and here is the configuration file located at /etc/codedeploy-agent/conf/codedeploy.onpremises.yml that tells it to use the assumed role:

---
:iam_session_arn: arn:aws:sts::{MY_ACCOUNT_ID}:assumed-role/RoleToAssume/TestSession
:aws_credentials_file: /home/pi/assumed_role_temp_creds
:region: us-east-2

I have a role called CodeDeployRole that is set in my application deployment group configuration through the console. It has the AWSCodeDeployRole permissions policy attached to it, along with the following trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "codedeploy.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Finally, here is the command I used to register my device from the AWS CLI: aws deploy register-on-premises-instance --instance-name TestOnPremiseInstance --iam-session-arn arn:aws:sts::{MY_ACCOUNT_ID}:assumed-role/RoleToAssume/TestSession --region us-east-2

rohkat-aws commented 6 years ago

@Otto45 did you get this to work, Apologies for the super late response.

Otto45 commented 6 years ago

I did not, but I ended up scrapping my work on this so you can close this out.

redixhumayun commented 3 years ago

Hi,

Is it possible to re-open this issue? I'm trying to do something similar with setting up code-deploy-agent on Raspberry Pi running Raspbian OS. I can't find any AWS documentation around this either.

Alternatively, let me know if I should open a new issue for this.

prichardsondev commented 2 years ago

In case anyone else ends up here... I've got it working on both Raspberry PI 32b bullseye on micro SD and Ubuntu Server 21.10 Raspberry Pi 64b on SSD. Only slight difference between the two.

[-- install aws cli v2 - ubuntu ]

sudo apt install unzip curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install

[-- install aws cli v1.19 Raspberry PI OS ] sudo apt install awscli

[-- configure aws cli with proper credentials - codedeploy, createusers - admin would do the trick] [-- you can find specific credentials for this process in aws docs]

aws configure ...

[-- register with codedeploy] [-- change new-user-in-your-account] [-- change some-key] [-- change to your region] [-- this will create a new user - few other steps if you want to use same user you set credentials up with] aws deploy register --instance-name new-user-in-your-account --tags Key=Name,Value=some-key --region us-east-1

[-- copy output for reference - although info will be in codedeploy.onpremises.yml file]

[-- install codedeploy agent]

sudo apt install ruby-full

[change region as necessary] sudo wget https://aws-codedeploy-us-east-1.s3.amazonaws.com/latest/install

sudo chmod +x ./install

[ubuntu 21.10] sudo ./install auto > /tmp/logfile

[raspberry pi os - bullseye] sudo ./install auto

[-- you many have to move codedeploy.onpremises.yml if not done] [check] cat /etc/codedeploy-agent/conf/codedeploy.onpremises.yml [move if needed] sudo mv codedeploy.onpremises.yml /etc/codedeploy-agent/conf/ [-- check agent status for 'active running' ctrl+c to exit'] sudo service codedeploy-agent status

[-- if not running] sudo service codedeploy-agent start

[--hook up your pipeline - works like a charm]

[-- unregister if needed] sudo aws deploy deregister --instance-name nameuregisteredwithabove