September 27, 2018

LAB 9 - AWS CI CD - IAM - Creating CodeDeploy Group & User

  1. In this Lab, we will be creating an IAM User under a new Group from IAM, which will be used hence forth for this demo to access AWS CI CD Services (AWS CodeCommit, AWS CodeBuild, AWS CodeDeploy & AWS  CodePipeline both programmatically & through AWS Console.

  2. Login to AWS Console as Root User, go to IAM -> Users and enter the details as follows to create codedeploy_user and set the Custom Password, which you can use later to login via IAM Console
    [Note: You will have to uncheck Required password reset option if you do not want to create a new password at the next sign-in.]




  3. Next in permissions screen, Create a Group as codedeploy_group  attach policy by clicking Permissions tab to add the following permissions
  4. AWSCodeCommitFullAccess
    IAMSelfManageServiceSpecificCredentials
    CloudWatchFullAccess
    AWSCodeDeployFullAccess
    IAMReadOnlyAccess
    AWSCodePipelineFullAccess
    AWSCodeBuildAdminAccess
  5. And add an in-line custom policy for the following hand picked policies                          {
    "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Stmt1537596486000",
                "Effect": "Allow",
                "Action": [
                    "iam:CreateRole",
                    "iam:AttachRolePolicy",
                    "iam:CreatePolicy",
                    "iam:CreatePolicyVersion",
                    "iam:DeletePolicy",
                    "iam:DeletePolicyVersion",
                    "iam:PutRolePolicy",
                    "events:PutRule",
                    "events:PutTargets",
                    "cloudformation:DescribeStackEvents",
                    "cloudformation:GetStackPolicy",
                    "cloudformation:DeleteStack ",
                    "apigateway:GET"
                ],
                "Resource": [
                    "*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "s3:PutObject",
                    "s3:PutObjectAcl",
                    "s3:GetObject",
                    "s3:GetObjectAcl",
                    "s3:DeleteObject"
                ],
                "Resource": "arn:aws:s3:::demo-4-codedeploy/*"
            }
        ]
    }

  6. Please note that the following 3 policies were required for CodeCommit as stated in prerequisite section of Connect to your repository and the remaining policies are required for the respective services.
    AWSCodeCommitFullAccess   
    IAMSelfManageServiceSpecificCredentials  
    IAMReadOnlyAccess 
    Note: This gives access to all repositories in your CodeCommit. If you want to restrict access, you need to write Custom Policies. Same applies to all services where unrestricted access is given. 

  7. Now add codedeploy_user to codedeploy_group 
  8. and then make sure to download the user credentials as this is the last time you will be able to access it Credentials, else you will have to regenerate the keys later.

  9. Get back to the user codedeploy_user and create Git credentials for this user Under HTTPS Git Credentials for AWS CodeCommit.
  10. Click Generate button and download credentials  

No comments:

Post a Comment