Skip to content

Commit 06ad424

Browse files
committed
Document the necessary IAM permissions
1 parent 46359e5 commit 06ad424

File tree

1 file changed

+39
-13
lines changed

1 file changed

+39
-13
lines changed

README.md

Lines changed: 39 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -109,19 +109,45 @@ The only addition made will be that the `revision` parameter for `CreateDeployme
109109

110110
## Usage
111111

112-
0. The basic CodeDeploy setup, including the creation of Service Roles, IAM credentials with sufficient permissions and installation of the
113-
CodeDeploy Agent on your target hosts is outside the scope of this action. Follow [the documentation](https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-codedeploy.html).
114-
1. [Create a CodeDeploy Application](https://docs.aws.amazon.com/codedeploy/latest/userguide/applications-create.html) that corresponds to your
115-
repository. By default, this action will assume your application is named by the "short" repository name (so, `myapp` for a `myorg/myapp` GitHub
116-
repository), but you can also pass the application name as an input to the action.
117-
2. Connect your CodeDeploy Application with your repository following [these instructions](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployments-create-cli-github.html).
118-
3. Configure the [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) action in your workflow and
119-
provide the necessary IAM credentials as secrets.
120-
4. Add the `branch_config` section to your `appspec.yml` file to map branches to Deployment Groups and their configuration. In the above example, the
121-
`master` and `.*` sub-sections show the minimal configuration required.
122-
5. Add `uses: webfactory/[email protected]` as a step to your workflow file. If you want to use the action's outputs, you
123-
will also need to provide an `id` for the step.
124-
112+
0. The basic CodeDeploy setup, including the creation of Service Roles, IAM credentials with sufficient permissions and installation of the CodeDeploy Agent on your target hosts is outside the scope of this action. Follow [the documentation](https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-codedeploy.html).
113+
1. [Create a CodeDeploy Application](https://docs.aws.amazon.com/codedeploy/latest/userguide/applications-create.html) that corresponds to your repository. By default, this action will assume your application is named by the "short" repository name (so, `myapp` for a `myorg/myapp` GitHub repository), but you can also pass the application name as an input to the action.
114+
2. Connect your CodeDeploy Application with your repository following [these instructions(https://docs.aws.amazon.com/codedeploy/latest/userguide/deployments-create-cli-github.html).
115+
3. Configure the [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) action in your workflow and provide the necessary IAM credentials as secrets. See the section below for the necessary IAM permissions.
116+
4. Add the `branch_config` section to your `appspec.yml` file to map branches to Deployment Groups and their configuration. In the above example, the `master` and `.*` sub-sections show the minimal configuration required.
117+
5. Add `uses: webfactory/[email protected]` as a step to your workflow file. If you want to use the action's outputs, you will also need to provide an `id` for the step.
118+
119+
### AWS IAM Permissions
120+
121+
The IAM User that is used to run the action requires the following IAM permissions. Note that depending on your policies you might want to specify narrower Resource ARNs, that is, more specifically tailor the permission to one particular repository and/or application.
122+
123+
```json
124+
{
125+
"Version": "2012-10-17",
126+
"Statement": [
127+
{
128+
"Sid": "VisualEditor0",
129+
"Effect": "Allow",
130+
"Action": [
131+
"iam:PassRole",
132+
"codedeploy:GetDeployment",
133+
"codedeploy:GetApplicationRevision",
134+
"codedeploy:CreateDeployment",
135+
"codedeploy:RegisterApplicationRevision",
136+
"codedeploy:GetDeploymentConfig",
137+
"codedeploy:UpdateDeploymentGroup",
138+
"codedeploy:CreateDeploymentGroup"
139+
],
140+
"Resource": [
141+
"arn:aws:iam::{your_account_id}:role/{your_codedeploy_service_role}",
142+
"arn:aws:codedeploy:eu-central-1:{your_account_id}:deploymentconfig:*",
143+
"arn:aws:codedeploy:eu-central-1:{your_account_id}:deploymentgroup:*/*",
144+
"arn:aws:codedeploy:eu-central-1:{your_account_id}:application:*"
145+
]
146+
}
147+
]
148+
}
149+
```
150+
125151
## Action Input and Output Parameters
126152

127153
### Input

0 commit comments

Comments
 (0)