amazon-web-servicesyamlcontinuous-deploymentcodeshipaws-code-deploy

Setting directory owner and permission with appspec.yml through Amazon Web Service CodeDeploy


I'm deploying a Node.js application through Codeship using the CodeDeploy AWS deployment system.

I am making use of the appspec.yml file to set the owner and permissions of one of the deployed directory.

I want to allow read/write for any files that will be created in a specified folder of the deployment. Files will be created by the web application once it starts running.

Currently my appspec.yml contains the following:

version: 0.0
os: linux
files:
  - source: /
    destination: /var/www/APPLICATION_NAME
permissions:
  - object: /var/www/APPLICATION_NAME/tmpfiles
    mode: 644
    owner: ec2-user
    type:
      - directory

Solution

  • If you have Access Control Lists (ACLs) enabled on your filesystem, you can use default ACLs on your directory to allow read/write permissions for owner/group/others on newly created files in that directory.

    AWS CodeDeploy lets you specify ACLs for your files in appspec.yml. It can take any valid ACL entries that can be passed to setfacl [1]

    For e.g, in your case to set read, write and execute permission for everyone on all newly created files you can do something like

    version: 0.0
    os: linux
    files:
      - source: /
        destination: /var/www/APPLICATION_NAME
    permissions:
      - object: /var/www/APPLICATION_NAME/tmpfiles
        mode: 644
        acls:
          - "d:u::rwx"
          - "d:g::rwx"
          - "d:o::rwx"
        owner: ec2-user
        type:
          - directory
    

    The permissions can be restricted by the application that creates the new files. You can also set default ACL mask to set mask bits to force certain permissions. For e.g, "d:m::rw" would mask the execute permission. You can explore more about ACL and masking here http://www.vanemery.com/Linux/ACL/POSIX_ACL_on_Linux.html

    [1] http://linux.die.net/man/1/setfacl