Minimal Deploy IAM Policy
The IAM user you use to run the cody deploy command needs a minimal set of IAM policies in order to deploy a CodeBuild project. Here is a table of the baseline services needed:
| Service | Description |
|---|---|
| CloudFormation | To create the CloudFormation stacks that then creates AWS resources that cody creates. |
| CodeBuild | To create the CodeBuid project. |
| Events | To create the CloudWatch Event Rules to start CodeBuild projects periodically. You can define schedule with the Schedule DSL |
| IAM | To create IAM role to be associated with the CodeBuild project functions. This gives your code permission to access AWS resources. You can define those permissions with the Role DSL |
| Logs | To write to CloudWatch logs. |
| SSM | Required if you’re using the ssm helper method to store secrets. |
Instructions
It is recommended that you create an IAM group and associate it with the IAM users that need access to use cody deploy. Here are starter instructions and a policy that you can tailor for your needs:
Commands Summary
Here’s a summary of the commands:
aws iam create-group --group-name Cody
cat << 'EOF' > /tmp/cody-iam-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:*",
"codebuild:*",
"events:*",
"iam:*",
"logs:*",
"ssm:*",
],
"Resource": [
"*"
]
}
]
}
EOF
aws iam put-group-policy --group-name Jets --policy-name JetsPolicy --policy-document file:///tmp/cody-iam-policy.json
Then create a user and add the user to IAM group. Here’s an example:
aws iam create-user --user-name tung
aws iam add-user-to-group --user-name tung --group-name Cody
Cody Deploy IAM Policy vs the CodeBuild IAM Policy
This page refers to your user IAM policy used when running cody deploy. These are different from the IAM Policies associated with created CodeBuild project. For that iam policy refer to:
Pro tip: Use the <- and -> arrow keys to move back and forward.
Edit this page
See a typo or an error? You can improve this page. This website is available on GitHub, and contributions are encouraged and welcomed. We love pull requests from you!
- Suggest an edit to this page (here's the contributing guide).
- Open an issue about this page to report a problem.