I'm following the tutorial found here to use an on-premise server with CodeDeploy. I'm a little confused with the first couple of steps. When I'm creating a role for the on-premise server to assume, what should I choose as the service that will use this role (in the console)? I do understand what policy the role should have, allowing actions s3:Get and s3:List for all resources. To provide additional info, I want to use the aws-codedeploy-session-helper tool to periodically refresh the session credentials for me, and the policy for the IAM user this tool uses is as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:CreateUser",
"iam:DeleteAccessKey",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:ListAccessKeys",
"iam:ListUserPolicies",
"iam:PutUserPolicy",
"iam:GetUser",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"autoscaling:*",
"codedeploy:*",
"ec2:*",
"lambda:*",
"elasticloadbalancing:*",
"s3:*"
],
"Resource": "*"
}
]
}
You would need to allow the on-premise server to call the STS assume role API, so the service should "STS"
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<ACCOUNT-ID>:role/<ROLENAME>"
}
}
Then in the IAM Role, add a "Trust" Policy for the server.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT-ID>:user/<USER-NAME>"
},
"Action": "sts:AssumeRole"
}
]
}