Question:
I am trying to add trust relationships to allow codedeploy to work for my role
I have the following json
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": ["ec2.amazonaws.com", "codedeploy.amazonaws.com"] }, "Action": ["sts:AssumeRole", "codedeploy:GetApplication", "codedeploy:GetDeploymentGroup", "codedeploy:CreateDeployment", "codedeploy:GetDeployment" ] } ] } |
I keep getting the following error
Answer:
You are mixing two different concepts in the policy: trust relationship and IAM actions.
You need to have two different policies, one for the IAM Role like:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } |
and other for the IAM Policy as:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "codedeploy.amazonaws.com" }, "Action": [ "codedeploy:GetApplication", "codedeploy:GetDeploymentGroup", "codedeploy:CreateDeployment", "codedeploy:GetDeployment" ] } ] } |