Elastic Beanstalk S3 access via .ebextensions
I've figured it out and I feel a little bit silly for not picking this up sooner.
So for anyone that uses AWS::CloudFormation::Authentication
path, the solution of course is:
Make sure your BUCKET policy allows your aws-elasticbeanstalk-ec2-role. DOH!!
It should look something like this:
{
"Id": "Policy1111Blah",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1440Blah",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"arn:aws:iam::11111111111:role/aws-elasticbeanstalk-ec2-role"
]
}
}
]
}
You can grab the ARN from IAM console.
The instructions in your .ebextensions config files only tell the EB deploy tools what to use to authenticate, but your source bucket (if private obviously) needs to allow that principal access!!!
Related videos on Youtube
Strelok
Updated on September 18, 2022Comments
-
Strelok over 1 year
I have a simple file in my
.ebextensions
folder:00-myconfig.config
Resources: AWSEBAutoScalingGroup: Metadata: AWS::CloudFormation::Authentication: S3Access: type: S3 roleName: aws-elasticbeanstalk-ec2-role buckets: my-bucket files: "/tmp/ca-bundle.zip": mode: "000755" owner: root group: root source: https://s3-ap-southeast-2.amazonaws.com/my-bucket/ca/ca-bundle.zip authentication: S3Access
Which according to multiple answers is the way to grant S3 bucket access to the
aws-elasticbeanstalk-ec2-role
role.But I continue to get the 403 error in
/var/log/eb-activity.log
[2015-08-26T01:27:03.544Z] INFO [22320] - [Application update/AppDeployStage0/EbExtensionPreBuild/Infra-EmbeddedPreBuild] : Activity execution failed, because: Failed to retrieve https://s3-ap-southeast-2.amazonaws.com/my-bucket/ca/ca-bundle.zip: HTTP Error 403 : <?xml version="1.0" encoding="UTF-8"?> (ElasticBeanstalk::ExternalInvocationError)
If I manually add an S3 access policy to the
aws-elasticbeanstalk-ec2-role
role everything works, so I know I don't have misspellings in URLS or anything else, the EC2 instance is definitely in the correct role.What is wrong?
PS. I tried the
files
section with or without the 'authentication' setting.