Elastic Beanstalk S3 access via .ebextensions

amazon-ec2 amazon-web-services configuration amazon-s3 elastic-beanstalk
8,225

I've figured it out and I feel a little bit silly for not picking this up sooner.

So for anyone that uses AWS::CloudFormation::Authentication path, the solution of course is:

Make sure your BUCKET policy allows your aws-elasticbeanstalk-ec2-role. DOH!!

It should look something like this:

{
    "Id": "Policy1111Blah",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1440Blah",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::11111111111:role/aws-elasticbeanstalk-ec2-role"
                ]
            }
        }
    ]
}

You can grab the ARN from IAM console.

The instructions in your .ebextensions config files only tell the EB deploy tools what to use to authenticate, but your source bucket (if private obviously) needs to allow that principal access!!!

Share:
8,225

Related videos on Youtube

Strelok
Author by

Strelok

Updated on September 18, 2022

Comments

  • Strelok
    Strelok over 1 year

    I have a simple file in my .ebextensions folder:

    00-myconfig.config

    Resources:
    AWSEBAutoScalingGroup:
        Metadata:
            AWS::CloudFormation::Authentication:
                S3Access:
                    type: S3
                    roleName: aws-elasticbeanstalk-ec2-role
                    buckets: my-bucket
files:
    "/tmp/ca-bundle.zip":
        mode: "000755"
        owner: root
        group: root
        source: https://s3-ap-southeast-2.amazonaws.com/my-bucket/ca/ca-bundle.zip
        authentication: S3Access

    Which according to multiple answers is the way to grant S3 bucket access to the aws-elasticbeanstalk-ec2-role role.

    But I continue to get the 403 error in /var/log/eb-activity.log

    [2015-08-26T01:27:03.544Z] INFO  [22320] - [Application update/AppDeployStage0/EbExtensionPreBuild/Infra-EmbeddedPreBuild] : Activity execution failed, because: Failed to retrieve https://s3-ap-southeast-2.amazonaws.com/my-bucket/ca/ca-bundle.zip: HTTP Error 403 : <?xml version="1.0" encoding="UTF-8"?> (ElasticBeanstalk::ExternalInvocationError)

    If I manually add an S3 access policy to the aws-elasticbeanstalk-ec2-role role everything works, so I know I don't have misspellings in URLS or anything else, the EC2 instance is definitely in the correct role.

    What is wrong?

    PS. I tried the files section with or without the 'authentication' setting.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Give EC2 IAM role read access to S3 bucket
Shell script to Upload files from AWS EC2 to S3
AWS S3 File Upload: S3Client Class Not Found
S3 AWS download Speed
Unknown Options when Using aws s3 mv
AWS S3 CLI - Connection was closed before we received a valid response from endpoint
Is possible to reduce AWS data transfer costs using any other AWS resource?
Amazon Cloud Formation: Import file from S3 bucket
AWS - Status check fails when loading AMI created from snapshot
Cross Region S3 bucket policy