Search code examples
linuxamazon-ec2aws-code-deploy

Issue running linux AWS CodeDeploy agent in non root context

I am using AWS CodeDeploy to deploy code to our AWS Amazon Linux instances. I followed this knowledge base article https://aws.amazon.com/premiumsupport/knowledge-center/codedeploy-agent-non-root-profile/ to have the agent execute in the ec2-user context instead of root

Before making the change, the script in the yml file executed as expected (but we need the script to execute in non root context) and setting the runas: part of the appspec.yml file did not seem to execute the script in the ec2-user context as expected

appspec.yml:

version: 0.0
os: linux
files:
  - source: /
    destination: /home/ec2-user/veddor/api
    owner: ec2-user
hooks:
    AfterInstall:
      - location: deploy/script/deploy-veddor-api.sh
        timeout: 300
        runas: ec2-user

Since making the change, this error now shows up rather than executing the script specified in the appspec file

LifecycleEvent - AfterInstall
Script - deploy/script/deploy-veddor-api.sh
[stderr]Password: su: Authentication failure

contents of the deploy-veddor-api.sh

cp /home/ec2-user/veddor/api/deploy/config/Config-roddev.php /home/ec2-user/veddor/api/app/config/Config.php
cd /home/ec2-user/veddor/api
chmod +x ./composer.phar
php ./composer.phar install

I am looking for help to figure out what I need to do to get the script deploy-veddor-api.sh to actually run in the ec2-user context.

Solution

  • You may be running the AWS CodeDeploy Agent as a non-root user. Only root will have the ability to have a runas user in your AfterInstall hook, as no other user account can run the substitute user "su" command without password authentication.

    Check out the details for "runas" in AWS' appspec user guide:

    https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file-structure-hooks.html

    runas Optional. The user to impersonate when running the script. By default, this is the AWS CodeDeploy agent running on the instance. AWS CodeDeploy does not store passwords, so the user cannot be impersonated if the runas user needs a password. This element applies to Amazon Linux and Ubuntu Server instances only.

    If you are already running the CodeDeploy Agent as ec2-user, then you do not need to supply the runas element in your AfterInstall hook.