Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

codedeploy plugin

jphornor
jphornor
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 9, 2016

We're struggling to get the CodeDeploy plugin configured properly. 

We have an Elastic Beanstalk application tied to an S3 bucket. We created an IAM policy with the following: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:PutObject"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "codedeploy:*"
            ],
            "Resource": "arn:aws:s3:::<S3 Bucket Reference Per Instructions>"
        },
        {
            "Sid": "<Statement ID Autogenerated>",
            "Effect": "Allow",
            "Action": [
                "autoscaling:CompleteLifecycleAction",
                "autoscaling:DeleteLifecycleHook",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLifecycleHooks",
                "autoscaling:PutLifecycleHook",
                "autoscaling:RecordLifecycleActionHeartbeat"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

The policy has the following Trust Relationships: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<AWS Account ID Per Instructions>:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<Connection ID Per Instructions>"
        }
      }
    }
  ]
}

We have selected the proper AWS Region. 

When we attempt to Save and Continue, we either get an error like "Please check you have entered the correct ARN and the role has sufficient permissions" OR a server error. Nothing shows up in the server logs, so we're guessing no connection was actually made to the server. 

Any help would be greatly appreciated! 

Answer
Watch
Like Steffen Opel _Utoolity_ likes this
1606 views

1 answer

1 accepted

1 vote
Answer accepted
Tom Kane
Tom Kane
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 9, 2016

I believe the problem lies with the codedeploy Resource in your IAM policy.

{
            "Effect": "Allow",
            "Action": [
                "codedeploy:*"
            ],
            "Resource": "arn:aws:s3:::<S3 Bucket Reference Per Instructions>"
        },

I tried setting Resource to my S3 bucket and I receive the same error. Various attempts at limiting Resource to one S3 bucket failed. The add-on needs the s3:ListAllMyBuckets action on arn:aws:s3:::* because it displays all buckets in a dropdown as the last configuration step. (AWS CodeDeploy might also need access to other resources like EC2 but this is just a guess.)

If you want to limit access, the following policy worked for me. Although the add-on can list all your buckets, you can limit s3:ListBucket, s3:PutObject, s3:GetObject, and s3:DeleteObject to the bucket for your CodeDeploy project.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<S3 Bucket Reference Per Instructions>"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<S3 Bucket Reference Per Instructions>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "codedeploy:*"
            ],
            "Resource": "*"
        }
    ]
}
View More Comments
jphornor
jphornor
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 9, 2016

That did the trick! Thanks so much, Tom! You're a life saver!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.