How to codedeploy appspec.yml runas ubuntu user

Question

AWS CodeDeploy is used for a simple WordPress application. Installed AWS codedeploy-agent on ubuntu 20.04 with help of the below script

#!/bin/bash
apt update
apt install ruby -y
gem install bundler
git clone https://github.com/aws/aws-codedeploy-agent.git /opt/codedeploy-agent
sudo chown -R root.root /opt/codedeploy-agent
sudo chmod 644 /opt/codedeploy-agent/conf/codedeployagent.yml
sudo chmod 755 /opt/codedeploy-agent/init.d/codedeploy-agent
sudo chmod 644 /opt/codedeploy-agent/init.d/codedeploy-agent.service
cd /opt/codedeploy-agent
bundle install --system
rake clean && rake
cp /opt/codedeploy-agent/init.d/codedeploy-agent /etc/init.d/
systemctl daemon-reload
systemctl start codedeploy-agent
systemctl enable codedeploy-agent

Using the below appspec.yml for code deployment. Its working fine with runas root

Questions :

1. How to run it as an ubuntu user, ?
2. Is any issue with while running as root user ? ....

appspec.yaml file

version: 0.0
os: linux
files:
  - source: /
    destination: /var/www/html/
    overwrite: true
hooks:
  BeforeInstall:
    - location: scripts/before_install.sh
      timeout: 300
      runas: root
  AfterInstall:
    - location: scripts/setup_environment.sh
      timeout: 300
      runas: root 
    - location: scripts/after_install.sh
      timeout: 900
      runas: root
  ApplicationStart:
    - location: scripts/start_server.sh
      timeout: 300
  ApplicationStop:
    - location: scripts/stop_server.sh
      timeout: 300
  ValidateService:
    - location: scripts/validate_service.sh
      timeout: 300

While runas ubuntu getting the below error.

Error code
ScriptFailed
Script name
scripts/setup_environment.sh
Message
Script at specified location: scripts/setup_environment.sh run as user ubuntu failed with exit code 4



LifecycleEvent - AfterInstall
Script - scripts/setup_environment.sh
[stderr]shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
[stderr]shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
[stderr]/opt/codedeploy-agent/deployment-root/44d6390b-485e-87ef-b50855bbf251/d-D0RTN7AR5/deployment-archive/scripts/setup_environment.sh: line 4: /var/www/html/.env: Permission denied
[stderr]sed: couldn't open temporary file /var/www/html/scripts/seTwGZAv: Permission denied

Answer 1

As appspec.yml file and scripts are managed by you, there is not any security issue while running our script as root. What you'll write is what you'll get.

While using any non root user it is important to provide all the required permissions to that user. In most of the cases you will have to use sudo before each command and make sure your user is added to sudoers.

You need to make sure that

1. Your git is secure from any unauthorized changes.
2. CodeDeploy is only accessible to the trusted resources.

If these two things are checked, there's no way any anomalous command can run on your system

Answer 2

If you run it as ubuntu user it will not work due to lack of permissions which you are experiencing:

couldn't open temporary file /var/www/html/scripts/seTwGZAv: Permission denied

The reason is that /var/www/html/ is not accessible by ubuntu user. To make it work you would have to change its default permissions which is a bad practice.

Some things have to be executed as root, unless you want to start changing default configurations and permission model of ubuntu operating system.