Login/Register
InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Missing credentials
Asked Answered
Solved amazon-web-servicesgithubamazon-ec2amazon-iamaws-code-deploy
F

8

44

I'm trying to deploy a GitHub project to a EC2 Instance using AWS CodeDeploy. After following 2 video tutorials an a bunch of Google answer, I'm still getting the following error:

2017-02-01 12:20:08 INFO  [codedeploy-agent(1379)]: master 1379: Spawned child 1/1
2017-02-01 12:20:09 INFO  [codedeploy-agent(1383)]: On Premises config file does not exist or not readable
2017-02-01 12:20:09 INFO  [codedeploy-agent(1383)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandExecutor: Archives to retain is: 5}
2017-02-01 12:20:09 INFO  [codedeploy-agent(1383)]: Version file found in /opt/codedeploy-agent/.version.
2017-02-01 12:20:09 ERROR [codedeploy-agent(1383)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Missing credentials - please check if this instance was started with an IAM instance profile

I have two IAM:

  • CodeDeployInstanceRole
  • CodeDeployServiceRole

CodeDeployInstanceRole for the EC2 Instance

Policy Name: AmazonEC2RoleforAWSCodeDeploy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:ListObjects"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Policy Name: AutoScalingNotificationAccessRole

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Resource": "*",
        "Action": [
            "sqs:SendMessage",
            "sqs:GetQueueUrl",
            "sns:Publish"
        ]
      }
    ]
}

Trust Relationship

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "codedeploy.amazonaws.com",
          "ec2.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

CodeDeployServiceRole for CodeDeploy

Policy Name: AWSCodeDeployRole

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:CompleteLifecycleAction",
        "autoscaling:DeleteLifecycleHook",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribeLifecycleHooks",
        "autoscaling:PutLifecycleHook",
        "autoscaling:RecordLifecycleActionHeartbeat",
        "autoscaling:CreateAutoScalingGroup",
        "autoscaling:UpdateAutoScalingGroup",
        "autoscaling:EnableMetricsCollection",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribePolicies",
        "autoscaling:DescribeScheduledActions",
        "autoscaling:DescribeNotificationConfigurations",
        "autoscaling:DescribeLifecycleHooks",
        "autoscaling:SuspendProcesses",
        "autoscaling:ResumeProcesses",
        "autoscaling:AttachLoadBalancers",
        "autoscaling:PutScalingPolicy",
        "autoscaling:PutScheduledUpdateGroupAction",
        "autoscaling:PutNotificationConfiguration",
        "autoscaling:PutLifecycleHook",
        "autoscaling:DescribeScalingActivities",
        "autoscaling:DeleteAutoScalingGroup",
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus",
        "ec2:TerminateInstances",
        "tag:GetTags",
        "tag:GetResources",
        "sns:Publish",
        "cloudwatch:DescribeAlarms",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeInstanceHealth",
        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
      ],
      "Resource": "*"
    }
  ]
}

Trust Relationship

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "codedeploy.amazonaws.com",
          "ec2.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

EC2 Instance

I spin my own image that I have created based on Debian so I have NodeJS already installed. When I spin the new instance I also paste the following code in the User data text area to make sure CodeDeploy is installed.

#!/bin/bash -x

REGION=$(curl 169.254.169.254/latest/meta-data/placement/availability-zone/ | sed 's/[a-z]$//') &&

sudo apt-get update -y &&

sudo apt-get install -y python-pip &&

sudo apt-get install -y ruby &&

sudo apt-get install -y wget &&

cd /home/admin &&

wget https://aws-codedeploy-$REGION.s3.amazonaws.com/latest/install &&

chmod +x ./install &&

sudo ./install auto &&

sudo apt-get remove -y wget &&

sudo service codedeploy-agent start

Debugging

If I log in in the EC2 instance that I have create, and execute the following command:

echo $(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/)

I get the following response CodeDeployInstanceRole

When I then execute 

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/CodeDeployInstanceRole

I get the following response 

{
  "Code" : "Success",
  "LastUpdated" : "2017-02-01T12:38:07Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "THE_KEY",
  "SecretAccessKey" : "SECRET",
  "Token" : "TOKEN",
  "Expiration" : "2017-02-01T19:08:43Z"
}

On GitHub I see that CodeDeploy never accesses my repo even when I select deployment using GitHub, I set the right repo name, and commit ID.

enter image description here

Question

What am I missing?

Farahfarand answered 2/2, 2017 at 8:30 Comment(0)
F
4

Turns out that by default Debian doesn't have curl installed. Installing curl before making the curl request to get the region the server is running on was the missing part in the Bash script.

Farahfarand answered 27/5, 2017 at 12:54 Comment(2)
That's good that you find the solution. I am also facing the same issue, could you be so kind and share your steps so I can compare what I am missing. I am using CodeDeploy, BitBucket and AWS EC2 instance and following medium.com/@asoheili/…Bismuthinite
Sure, check what I wrote here: github.com/0x4447/… - I did dump all that I learned in that article. I hope it will help you out.Farahfarand
P
84

I ran into the same issue. Briefly what caused the problem:

  • Launch an instance WITHOUT any roles attached to it
  • Then install a codedeploy-agent on that machine
  • Only lastly attach an IAM role to the machine

Result: I get the error: Missing credentials - please check if this instance was started with an IAM instance profile

Solution: restart the codedeploy agent. Use:

sudo service codedeploy-agent restart

The error should be gone now!

Pendulous answered 5/4, 2018 at 11:55 Comment(4)
I did the exact same thing and this fixed it.Chou
This worked for me. I had not attached IAM while creating the instance. I added it later on. So this restart worked for meButterandeggs
How do you attach IAM role to a machine?Shirl
This fixed my issue. Plus seems like codedeploy-agent only looks for "appspec.yml" file and not "appspec.yaml"Royer
O
25

I was getting the "please check if this instance was started with an IAM instance profile". To check if your instance is launched without IAM profile go to AWS console -> your instance -> check in Description tab "IAM role" value, if it's empty then you have launched instance without IAM and here is what to do to solve the issue:

  1. Go to IAM console -> Roles -> Create new role

    Select AWS Service -> EC2 -> Next: Permissions(don't change anything) -> Next: Tags -> Next: Review -> Give the name and click Create role.

  2. Go to AWS EC2 console -> select instance -> Actions -> Instance settings -> Attach/replace IAM role -> Select IAM role you just created

  3. Restart codedeploy agent: sudo service codedeploy-agent restart

  4. Try to deploy again and it should work

Obrien answered 27/4, 2020 at 13:38 Comment(0)
F
4

Turns out that by default Debian doesn't have curl installed. Installing curl before making the curl request to get the region the server is running on was the missing part in the Bash script.

Farahfarand answered 27/5, 2017 at 12:54 Comment(2)
That's good that you find the solution. I am also facing the same issue, could you be so kind and share your steps so I can compare what I am missing. I am using CodeDeploy, BitBucket and AWS EC2 instance and following medium.com/@asoheili/…Bismuthinite
Sure, check what I wrote here: github.com/0x4447/… - I did dump all that I learned in that article. I hope it will help you out.Farahfarand
L
3

The instance role permissions look good to me. But the IAM instance profile was added only at the first time when the instance was launched. Could you make sure the instances role had the right permissions before launching the instances?

Lobule answered 21/4, 2017 at 23:18 Comment(2)
Could you be so kind, and tell me how to do that? Or point to a link where it shows how to do that, so we can be sure that I'm checking the right way :)Farahfarand
When we launch an ec2 instance, we are asked to provide "IAM role" on page "Step 3: Configure Instance Details". The IAM role provided here that I referred that might not have enough permission. Example settings are here: docs.aws.amazon.com/codedeploy/latest/userguide/…Lobule
C
3

Detach the profile from EC2 and then attach it back (Actions -> Security). Finally restart the agent with

sudo service codedeploy-agent restart

My case is slightly different from other answers. My profile looks correct and it has correct policy. And the EC2 is attached to the role - at least that what I see in AWS console.

The root cause is that the EC2 do not has a correct profile with it due to some regeneration of the same-name profile role. This can confirmed with curl http://169.254.169.254/latest/meta-data/iam/info

404 means something wrong.

Cercus answered 3/2, 2023 at 8:21 Comment(0)
R
1

In my case I had to restart the Code Deploy Agent:

sudo systemctl restart codedeploy-agent

Also, I had to rename my deployment spec from "appspec.yaml" to "appspec.yml", seems like the agent only looks for .yml extension -- btw I found this error after I looked into /var/log/aws/codedeploy-agent/codedeploy-agent.log log file

$ tail /var/log/aws/codedeploy-agent/codedeploy-agent.log
2023-05-27T08:08:35 WARN  [codedeploy-agent(8830)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Calling PutHostCommandComplete: "Code Error" 
2023-05-27T08:08:35 INFO  [codedeploy-agent(8830)]: Version file found in /opt/codedeploy-agent/.version with agent version OFFICIAL_1.6.0-49_rpm.
2023-05-27T08:08:35 INFO  [codedeploy-agent(8830)]: [Aws::CodeDeployCommand::Client 200 0.033923 0 retries] put_host_command_complete(command_status:"Failed",diagnostics:{format:"JSON",payload:"{\"error_code\":5,\"script_name\":\"\",\"message\":\"The CodeDeploy agent did not find an AppSpec file within the unpacked revision directory at revision-relative path \\\"appspec.yml\\\". The revision was unpacked to directory \\\"/opt/codedeploy-agent/deployment-root/f5518867-7740-4ce5-b65d-0931a6b26e66/d-THOQCJXLO/deployment-archive\\\", and the AppSpec file was expected but not found at path \\\"/opt/codedeploy-agent/deployment-root/f5518867-7740-4ce5-b65d-0931a6b26e66/d-THOQCJXLO/deployment-archive/appspec.yml\\\". Consult the AWS CodeDeploy Appspec documentation for more information at http://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file.html\",\"log\":\"\"}"}
Royer answered 27/5, 2023 at 8:17 Comment(0)
A
0

This is what worked for me in 2021 on Ubuntu 16.04

Upgrade from Python 3.5.2 to 3.6

https://www.rosehosting.com/blog/how-to-install-python-3-6-on-ubuntu-16-04/ with sudo ...

cd /opt
wget https://www.python.org/ftp/python/3.6.3/Python-3.6.3.tgz
tar -xvf Python-3.6.3.tgz
cd Python-3.6.3
./configure
apt-get install zlib1g-dev
make
make install

Install latest version of aws cli v1

cd ~
curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"
unzip awscli-bundle.zip
sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws

Modify Instance Metadata

https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-metadata-options.html

aws ec2 modify-instance-metadata-options \
  --instance-id ${FOO_ID} \
  --http-tokens optional \
  --http-endpoint enabled

Install the CodeDeploy agent for Ubuntu Server

https://docs.aws.amazon.com/codedeploy/latest/userguide/codedeploy-agent-operations-install-ubuntu.html

sudo apt-get update
sudo apt-get install ruby
sudo apt-get install wget
cd /home/ubuntu
wget https://aws-codedeploy-us-west-2.s3.us-west-2.amazonaws.com/latest/install
chmod +x ./install
sudo ./install auto
sudo service codedeploy-agent restart
sudo service codedeploy-agent status

To view deployment log files on Amazon Linux, RHEL, and Ubuntu Server instances

https://docs.aws.amazon.com/codedeploy/latest/userguide/deployments-view-logs.html

tail -f /var/log/aws/codedeploy-agent/codedeploy-agent.log
tail -f /opt/codedeploy-agent/deployment-root/deployment-logs/codedeploy-agent-deployments.log
Asiatic answered 24/2, 2021 at 17:40 Comment(0)
T
0

I just attached the following policies to the EC2 instance:

  • AmazonEC2FullAccess
  • AmazonEC2RoleforAWSCodeDeploy
  • AmazonCodeDeployFullAccess

I then stopped the instance and started it again.

Troup answered 3/6, 2024 at 10:0 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.