skillZs
LIVE SKILL TAGS
>>> LIVE SKILLS INDEX <<<
* OPEN SOURCE *
NO LOGIN, NO TRACKING
REAL INSTALL DATA
← back to all skills
aws/agent-toolkit-for-aws267 installs

aws-deployment

Configures CI/CD pipelines using AWS CodePipeline, CodeBuild, CodeDeploy, CodeConnections, and CodeArtifact. Covers CodePipeline V2 (triggers, variables, execution modes, cross-account), buildspec.yml (caching, VPC, Docker), CodeDeploy strategies (blue/green, canary, linear), CodeArtifact (private package registries, auth tokens, cross-account), and source connections (GitHub, GitLab, Bitbucket). Applies when CodePipeline, CodeBuild, CodeDeploy, CodeConnections, CodeArtifact, buildspec.yml, appspec.yml, or CI/CD pipeline orchestration is referenced. Does NOT cover: ECS Fargate services or task definitions (use aws-containers), CDK Pipelines or cdk deploy (use aws-cdk), sam deploy (use aws-serverless), Amplify deployments (use aws-amplify), or GitHub Actions/GitLab CI.

How do I install this agent skill?

npx skills add https://github.com/aws/agent-toolkit-for-aws --skill aws-deployment
view source ↗

Is this agent skill safe to install?

  • Gen Agent Trust Hubpass

    This skill provides comprehensive technical documentation and configuration guidance for AWS CI/CD services. It emphasizes security best practices such as least-privilege IAM policies, secrets management via AWS Secrets Manager, and KMS encryption for artifacts. No security risks were identified.

  • Socketpass

    No alerts

  • Snykpass

    Risk: LOW · No issues

What does this agent skill do?

AWS Deploy (CI/CD)

Works best with the AWS MCP server for running CLI commands and validating configurations directly. All guidance also works with standard AWS CLI.

Critical Warnings

CodeConnections PENDING trap: Connections created via CLI/CloudFormation remain PENDING indefinitely — MUST complete OAuth in the AWS Console. No API-only path exists.

Cross-account triple requirement: Cross-account deploys need ALL THREE: (1) KMS key policy granting target account (use key ID, not alias), (2) S3 bucket policy for target account, (3) cross-account IAM role with trust policy. Missing any one = cryptic Access Denied.

CodeDeploy ApplicationStop uses PREVIOUS revision: Broken stop scripts in a prior deployment block ALL future deploys. Make stop scripts idempotent (exit 0 if service absent). Unblock with --ignore-application-stop-failures.

CodeBuild VPC without NAT: Builds in VPC subnets without NAT gateway hang at DOWNLOAD_SOURCE silently. Private subnets MUST have NAT gateway or VPC endpoints.

CodeConnections IAM: Use codeconnections: prefix for API calls and IAM policy Actions. Resource ARNs must match exactly — new resources use codeconnections prefix, existing resources may use codestar-connections prefix. Specify both in Resource if you have mixed-age resources.

UseConnection is over-permissive: codeconnections:UseConnection grants access to ALL repositories the connection can reach. MUST specify condition keys (codeconnections:FullRepositoryId, codeconnections:ProviderAction, codeconnections:BranchName) to limit CodeBuild to only the required repository.

How These Services Compose

CodeConnections → CodeBuild → CodeDeploy, orchestrated by CodePipeline.

LayerServiceRole
SourceCodeConnectionsAuthenticates to GitHub/GitLab/Bitbucket, delivers code
PackagesCodeArtifactPrivate package registry, dependency caching from public registries
Build/TestCodeBuildCompiles, tests, packages artifacts
DeployCodeDeployDeploys to EC2/ECS/Lambda with traffic shifting strategies
OrchestratorCodePipelineChains stages, manages transitions, approval gates

Default: V2 pipeline type with QUEUED execution mode. Use PARALLEL only when executions are fully independent.

Quick Navigation

You want to...Go to
Create a pipeline (V2, triggers, variables, modes)codepipeline.md
Connect GitHub/GitLab/Bitbucket sourcecodeconnections.md
Write buildspec.yml / configure buildscodebuild.md
Set up private package registry for buildscodeartifact.md
Configure deployment strategy (blue/green, canary)codedeploy.md
Cross-account or cross-region deploymentcodepipeline.md
Fix failing pipeline, build, or deploymenttroubleshooting.md

Common Workflows

TaskActionReference
Pipeline from GitHub to ECSCreate connection → CodeBuild Docker stage → CodeDeploy ECS blue/greencodepipeline, codedeploy
Pipeline stuck at sourceCheck connection status; if PENDING, complete OAuth in AWS Consoletroubleshooting
Build timing outCheck VPC/NAT, increase timeoutInMinutes, verify Docker privileged modecodebuild
Deploy to another accountConfigure KMS + S3 bucket policy + cross-account role, add RoleArn to actioncodepipeline
Roll back failed deploymentAuto-rollback on alarm/failure; manual: stop-deployment --auto-rollback-enabledcodedeploy
Lambda canary deploymentCodeBuild packages → CodeDeploy Lambda with canary traffic shiftingcodedeploy

Troubleshooting

Error/SymptomCauseFix
YAML_FILE_ERROR in CodeBuildMissing or malformed runtime-versions in buildspec (recommended for standard images)Add runtime-versions block in install phase
file already exists on CodeDeployRedeployment without overwrite configSet file_exists_behavior: OVERWRITE
Pipeline trigger not firingFile path filter checks only first 100 files in diffReduce path filter scope or merge smaller
PARALLEL mode wrong revisionRace between event and source actionUse QUEUED mode for sequential consistency
Docker: Cannot connect to daemonMissing privileged modeSet privilegedMode: true AND start dockerd in buildspec
CODEBUILD_CLONE_REF permission errorCodeBuild role missing UseConnectionAdd codeconnections:UseConnection to CodeBuild service role
Deployment never completesMinimumHealthyHosts too high for instance countEnsure healthy threshold < total instances
ECS deployment stuckHealth check failing on new task setVerify target group health check path/port

Security

  • MUST store secrets in Secrets Manager or Parameter Store; reference via CodeBuild type: SECRETS_MANAGER — MUST NOT embed in buildspec as PLAINTEXT
  • MUST use customer-managed KMS keys for cross-account artifact encryption (default encryption does not support cross-account)
  • SHOULD scope CodeBuild/CodeDeploy service roles to specific resource ARNs; MUST NOT use * for s3:GetObject or kms:Decrypt
  • MUST use CodeConnections (not personal access tokens) for source connections; OAuth tokens cannot be rotated automatically
  • See CodePipeline security best practices for comprehensive guidance

Not Covered

TopicUse instead
CDK Pipelines (aws-cdk-lib/pipelines)aws-cdk
sam deploy / SAM CLIaws-serverless
ECS service deployment config (circuit breaker, rolling params)aws-containers
GitHub Actions / GitLab CIThird-party tools, not covered

Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.

<a href="https://skillzs.dev/skills/aws/agent-toolkit-for-aws/aws-deployment">View aws-deployment on skillZs</a>