InstanceAgent::CodeDeployPlugin::CommandPoller: Missing credentials – Debug / My Fix

InstanceAgent::CodeDeployPlugin::CommandPoller: Missing credentials – Debug / My Fix

I created a Policy and Launch Configuration according to this documentation

http://docs.aws.amazon.com/codedeploy/latest/userguide/how-to-create-service-role.html

However   I still received this error

InstanceAgent::CodeDeployPlugin::CommandPoller: Missing credentials  - please check if this instance was started with an IAM instance profile

The problem lay somewhere in the configuration of how I setup and Launched the server,  however I set about exploring the server to evaluate and confirm the ‘missing credentials’.

Using these checks I would be able to confirm that the reason behind these errors (and there fore the problem with actually deploying code):

First run this command to check to see what roles were ‘requested’

echo `wget http://169.254.169.254/latest/meta-data/iam/security-credentials/ -O - -q `

This command will return the list of Roles that were given to your server.  You can then extend the request

MyRoleName

Then add the return on to the end of the URL to see the results of attempting to add the role,  in my case the error was displayed

{
 "Code" : "AssumeRoleUnauthorizedAccess",
 "Message" : "EC2 cannot assume the role MyRoleName. Please see documentation at http://docs.amazonwebservices.com/IAM/latest/UserGuide/RolesTroubleshooting.html.", 
 "LastUpdated" : "2015-02-17T04:38:25Z"
}

Basically,   the EC2 was unable to assume the role MyRoleName  did not have permission to Assume a Role,  This could be due to the permissions of the development account that was used to start eh Scaling Group which launched the EC2.  To test this,

  • I login with an administrator account
  • recreate the scaling group,  identical
  • login to the server
  • run the echo `wget http://169.254.169.254/latest/meta-data/iam/security-credentials/ -O – -q ` command

This didn’t do anything,  So I thought I would look into the specifics of why we have a role that should be able to be assumed,  but which has a message which explains that EC2 cannot assume the role.

So I looked back at the article http://docs.aws.amazon.com/codedeploy/latest/userguide/how-to-create-service-role.html and found somewhat of an anomaly,  it seems that the article suggests that we build a trust relationship with gives the ‘codedeploy.us-west-2.amazonaws.com’ service the ability to use this policy.  However,   that does not jive with the Messages I see in the logs defining that EC2 is not able to assume the role.   So I opened the trust relationship under the Role,  and Added the bolded line

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
            "ec2.amazonaws.com",
            "codedeploy.us-east-1.amazonaws.com",
            "codedeploy.us-west-2.amazonaws.com"
] }, "Action": "sts:AssumeRole" } ] }

Lo and Behold,  it worked.  Now when I run the following I get a Success Message

echo `wget http://169.254.169.254/latest/meta-data/iam/security-credentials/MyRoleName-O - -q `

So,  it turns out the problem is that the article is either incorrect or was written in order to give the CodeDeploy service the ability to work on EC2,  but not giving the EC2 servers access to the CodeDeploy service.   ( the codedeploy.us-east-1 services are also required in order to to give the deployment group the IAM role.)

While,  it was difficult to find the solution,  this troubleshooting steps above are useful to help identify related or other issues,  I hope you find some use from the tools

 

Michael Blood