search

aws / aws-codedeploy-agent

Host Agent for AWS CodeDeploy
https://aws.amazon.com/codedeploy
Apache License 2.0
329 stars 187 forks source link

Do I absolutely need the IAM Instance Profile? #246

Closed mpdude closed 4 years ago

mpdude commented 4 years ago

For reasons, I'd like to avoid using an EC2 Instance Profile to give the codedeploy-agent its permissions. Instead, I'd like to use "classic" credentials in the ~/.aws/credentials file.

I've set this up with an IAM User that has the same permissions (the same IAM Policy attached) as the role would have.

Still, I get the following errors:

2020-06-04 22:29:20 DEBUG [codedeploy-agent(5827)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Calling PollHostCommand:
2020-06-04 22:29:20 INFO  [codedeploy-agent(5827)]: Version file found in /opt/codedeploy-agent/.version with agent version OFFICIAL_1.0-1.1597_deb.
2020-06-04 22:29:20 ERROR [codedeploy-agent(5827)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Cannot reach InstanceService: Aws::CodeDeployCommand::Errors::AccessDeniedException -
2020-06-04 22:29:20 DEBUG [codedeploy-agent(5827)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Sleeping 12 seconds.
2020-06-04 22:29:33 DEBUG [codedeploy-agent(5827)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Calling PollHostCommand:
2020-06-04 22:29:33 INFO  [codedeploy-agent(5827)]: Version file found in /opt/codedeploy-agent/.version with agent version OFFICIAL_1.0-1.1597_deb.
2020-06-04 22:29:33 ERROR [codedeploy-agent(5827)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Cannot reach InstanceService: Aws::CodeDeployCommand::Errors::AccessDeniedException -
2020-06-04 22:29:33 DEBUG [codedeploy-agent(5827)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Sleeping 16 seconds.
2020-06-04 22:29:50 DEBUG [codedeploy-agent(5827)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Calling PollHostCommand:
2020-06-04 22:29:50 INFO  [codedeploy-agent(5827)]: Version file found in /opt/codedeploy-agent/.version with agent version OFFICIAL_1.0-1.1597_deb.
2020-06-04 22:29:50 ERROR [codedeploy-agent(5827)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Cannot reach InstanceService: Aws::CodeDeployCommand::Errors::AccessDeniedException -
2020-06-04 22:29:50 DEBUG [codedeploy-agent(5827)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Sleeping 20 seconds.

Is this supported at all?

fleaz commented 4 years ago

Just out of curiosity: May I ask what your reasons are to use the credentials file instead of an instance role?

mpdude commented 4 years ago

It’s complicated: That I had to use the legacy ec2-consistent-snapshot script to make clean snapshots of MySQL MyISAM tables, but that was build with the AWS SDK for Perl, which itself has been abandoned for a long time and exhibits random authentication failures if the instance has an associated instance profile.

But since I opened this issue here, I wrote my own backup script which, in fact, even relies on the instance profile and makes credentials handling easier.

So I am going to close this – thanks anyway!