amazon-web-servicesgithubamazon-ec2amazon-iamaws-code-deploy

InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Missing credentials


I'm trying to deploy a GitHub project to a EC2 Instance using AWS CodeDeploy. After following 2 video tutorials an a bunch of Google answer, I'm still getting the following error:

2017-02-01 12:20:08 INFO  [codedeploy-agent(1379)]: master 1379: Spawned child 1/1
2017-02-01 12:20:09 INFO  [codedeploy-agent(1383)]: On Premises config file does not exist or not readable
2017-02-01 12:20:09 INFO  [codedeploy-agent(1383)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandExecutor: Archives to retain is: 5}
2017-02-01 12:20:09 INFO  [codedeploy-agent(1383)]: Version file found in /opt/codedeploy-agent/.version.
2017-02-01 12:20:09 ERROR [codedeploy-agent(1383)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Missing credentials - please check if this instance was started with an IAM instance profile

I have two IAM:

CodeDeployInstanceRole for the EC2 Instance

Policy Name: AmazonEC2RoleforAWSCodeDeploy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:ListObjects"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Policy Name: AutoScalingNotificationAccessRole

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Resource": "*",
        "Action": [
            "sqs:SendMessage",
            "sqs:GetQueueUrl",
            "sns:Publish"
        ]
      }
    ]
}

Trust Relationship

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "codedeploy.amazonaws.com",
          "ec2.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

CodeDeployServiceRole for CodeDeploy

Policy Name: AWSCodeDeployRole

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:CompleteLifecycleAction",
        "autoscaling:DeleteLifecycleHook",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribeLifecycleHooks",
        "autoscaling:PutLifecycleHook",
        "autoscaling:RecordLifecycleActionHeartbeat",
        "autoscaling:CreateAutoScalingGroup",
        "autoscaling:UpdateAutoScalingGroup",
        "autoscaling:EnableMetricsCollection",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribePolicies",
        "autoscaling:DescribeScheduledActions",
        "autoscaling:DescribeNotificationConfigurations",
        "autoscaling:DescribeLifecycleHooks",
        "autoscaling:SuspendProcesses",
        "autoscaling:ResumeProcesses",
        "autoscaling:AttachLoadBalancers",
        "autoscaling:PutScalingPolicy",
        "autoscaling:PutScheduledUpdateGroupAction",
        "autoscaling:PutNotificationConfiguration",
        "autoscaling:PutLifecycleHook",
        "autoscaling:DescribeScalingActivities",
        "autoscaling:DeleteAutoScalingGroup",
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus",
        "ec2:TerminateInstances",
        "tag:GetTags",
        "tag:GetResources",
        "sns:Publish",
        "cloudwatch:DescribeAlarms",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeInstanceHealth",
        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
      ],
      "Resource": "*"
    }
  ]
}

Trust Relationship

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "codedeploy.amazonaws.com",
          "ec2.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

EC2 Instance

I spin my own image that I have created based on Debian so I have NodeJS already installed. When I spin the new instance I also paste the following code in the User data text area to make sure CodeDeploy is installed.

#!/bin/bash -x

REGION=$(curl 169.254.169.254/latest/meta-data/placement/availability-zone/ | sed 's/[a-z]$//') &&

sudo apt-get update -y &&

sudo apt-get install -y python-pip &&

sudo apt-get install -y ruby &&

sudo apt-get install -y wget &&

cd /home/admin &&

wget https://aws-codedeploy-$REGION.s3.amazonaws.com/latest/install &&

chmod +x ./install &&

sudo ./install auto &&

sudo apt-get remove -y wget &&

sudo service codedeploy-agent start

Debugging

If I log in in the EC2 instance that I have create, and execute the following command:

echo $(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/)

I get the following response CodeDeployInstanceRole

When I then execute

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/CodeDeployInstanceRole

I get the following response

{
  "Code" : "Success",
  "LastUpdated" : "2017-02-01T12:38:07Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "THE_KEY",
  "SecretAccessKey" : "SECRET",
  "Token" : "TOKEN",
  "Expiration" : "2017-02-01T19:08:43Z"
}

On GitHub I see that CodeDeploy never accesses my repo even when I select deployment using GitHub, I set the right repo name, and commit ID.

enter image description here

Question

What am I missing?


Solution

  • Turns out that by default Debian doesn't have curl installed. Installing curl before making the curl request to get the region the server is running on was the missing part in the Bash script.