# Create the CodePipeline service role
<a name="pipelines-create-service-role"></a>

When you create a pipeline, you create a service role or use an existing service role.

You can use the CodePipeline console or the AWS CLI to create a CodePipeline service role. A service role is required to create a pipeline, and the pipeline is always associated to that service role. 

Before you create a pipeline with the AWS CLI, you must create a CodePipeline service role for your pipeline. For an example CloudFormation template with the service role and policy specified, see the tutorials in [Tutorial: Create a pipeline that uses variables from AWS CloudFormation deployment actions](tutorials-cloudformation-action.md).

The service role is not an AWS managed role but is created initially for pipeline creation, and then as new permissions are added to the service role policy, you may need to update the service role for your pipeline. Once your pipeline is created with a service role, you cannot apply a different service role to that pipeline. Attach the recommended policy to the service role.

For more information about the service role, see [Manage the CodePipeline service role](how-to-custom-role.md).

# Create the CodePipeline service role (console)
<a name="pipelines-create-service-role-console"></a>

When you use the console to create a pipeline, you create the CodePipeline service role with the pipeline creation wizard.

1. Sign in to the AWS Management Console and open the CodePipeline console at [http://console.aws.amazon.com/codesuite/codepipeline/home](http://console.aws.amazon.com/codesuite/codepipeline/home).

   Choose **Create pipeline** and complete the **Step 1: Choose pipeline settings** page in the pipeline creation wizard.
**Note**  
After you create a pipeline, you cannot change its name. For information about other limitations, see [Quotas in AWS CodePipeline](limits.md).

1. In **Service role**, choose **New service role** to allow CodePipeline to create a new service role in IAM.

1. Complete the pipeline creation. Your pipeline service role is available to view in your list of IAM roles, and you can view the service role ARN associated to a pipeline by running the `get-pipeline` command with the AWS CLI.

# Create the CodePipeline service role (CLI)
<a name="pipelines-create-service-role-cli"></a>

Before you create a pipeline with the AWS CLI or CloudFormation, you must create a CodePipeline service role for your pipeline and attach the service role policy and the trust policy. To use the CLI to create your service role, use the steps below to first create a trust policy JSON and the role policy JSON as separate files in the directory where you will run the CLI commands.

**Note**  
We recommend that you allow only administrative users to create any service role. A person with permissions to create a role and attach any policy can escalate their own permissions. Instead, create a policy that allows them to create only the roles that they need or have an administrator create the service role on their behalf.

1. In a terminal window, enter the following command to create a file named `TrustPolicy.json`, where you will paste the role policy JSON. This example uses VIM.

   ```
   vim TrustPolicy.json
   ```

1. Paste the following JSON into the file.

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "Service": "codepipeline.amazonaws.com"
               },
               "Action": "sts:AssumeRole"
           }
       ]
   }
   ```

------

   To save and exit the file, enter the following VIM command:

   ```
   :wq
   ```

1. In a terminal window, enter the following command to create a file named `RolePolicy.json`, where you will paste the role policy JSON. This example uses VIM.

   ```
   vim RolePolicy.json
   ```

1. Paste the JSON policy into the file. Use the minimum service role policy as provided in [CodePipeline service role policy](how-to-custom-role.md#how-to-custom-role-policy). In addition, add the appropriate permissions to your service role based on the actions you plan to use. For a list of actions and a link to each action's required service role permissions, see [Add permissions to the CodePipeline service role](how-to-custom-role.md#how-to-update-role-new-services). 

   Make sure to scope down permissions as much as possible by scoping down to the resource level in the `Resource` field.

   To save and exit the file, enter the following VIM command:

   ```
   :wq
   ```

1. Enter the following command to create the role and attach the trust role policy. The policy name format is normally the same as the role name format. This examples uses the role name `MyRole` and the policy `TrustPolicy` that was created as a separate file.

   ```
   aws iam create-role --role-name MyRole --assume-role-policy-document file://TrustPolicy.json
   ```

1. Enter the following command to create the role policy and attach it to the role. The policy name format is normally the same as the role name format. This examples uses the role name `MyRole` and the policy `MyRole` that was created as a separate file.

   ```
   aws iam put-role-policy --role-name MyRole --policy-name RolePolicy --policy-document file://RolePolicy.json
   ```

1. To view the created role name and trust policy, enter the following command for the role named `MyRole`:

   ```
   aws iam get-role --role-name MyRole
   ```

1. Use the service role ARN when you create your pipeline with the AWS CLI or CloudFormation.