aws-elastic-beanstalk-cli
aws-elastic-beanstalk-cli copied to clipboard
aws
Create necessary default instance profiles.
The first creation of an eb environment fails due to aws-elasticbeanstalk-ec2-role not being created (I had never created an environment via the console).
"The instance profile aws-elasticbeanstalk-ec2-role associated with the environment does not exist."
The current solution is creating this manually or creating an instance in aws console, which creates this profile. You can then re-run the eb create statement again. Should the cli create this profile automatically exactly as the console does?
Thanks for reporting this @mickeysox. We will look into this and post any updates to this issue.
I just ran into this issue as well myself. I have tried configuring the AWS command with aws configure twice now. Once with an Administrator IAM role, and once with my actual Root account. Neither worked.
> eb create prod
WARNING: Insufficient IAM privileges. Unable to determine if instance profile 'aws-elasticbeanstalk-ec2-role' exists, assuming that it exists.
Creating application version archive "app-8514-200505_110544".
Uploading seamless_cloud/app-8514-200505_110544.zip to S3. This may take a while.
Upload Complete.
Environment details for: prod
Application name: seamless_cloud
Region: us-east-2
Deployed Version: app-8514-200505_110544
Environment ID: e-drxupkcbmb
Platform: arn:aws:elasticbeanstalk:us-east-2::platform/Docker running on 64bit Amazon Linux/2.15.0
Tier: WebServer-Standard-1.0
CNAME: UNKNOWN
Updated: 2020-05-05 16:05:50.892000+00:00
Printing Status:
2020-05-05 16:05:49 INFO createEnvironment is starting.
2020-05-05 16:05:51 INFO Using elasticbeanstalk-us-east-2-647611292946 as Amazon S3 storage bucket for environment data.
2020-05-05 16:05:52 ERROR Unable to assign role. Please verify that you have permission to pass this role: aws-elasticbeanstalk-service-role.
2020-05-05 16:05:52 ERROR Failed to launch environment.
I am using a Docker-based flow. I am also getting this error as well, which may be related:
> eb create prod
ERROR: NotFoundError - Elastic Beanstalk can't find a platform version that matches "Docker running on 64bit Amazon Linux 2".
@mickeysox thanks for reporting this issue. When you create your very first environment with Elastic Beanstalk, this role needs to be created. CLI will create aws-elasticbeanstalk-ec2-role and aws-elasticbeanstalk-service-role in your account. The CLI however can only create it if your IAM role has permissions to create roles.
You can either add the IAM CreateRole permission to your user permission set, or can can use the web console to create the role.
Closing this issue. Feel free to reopen it if you have any questions.
thanks!
I have seen these suggestion lot of times can use the web console to create the role but no one tells how to do that using console. Can someone please tell me how do I use web console to create the role? I am new to AWS. It would be really helpful if steps were broadly explained. Thanks in advance. @Palakpatel67 @mickeysox
unfortunate that this issue has been closed, before this question is answered. I also keep seeing the "create role permission" solution, but I can't find anything like that on AWS
I have seen these suggestion lot of times can use the web console to create the role but no one tells how to do that using console. Can someone please tell me how do I use web console to create the role? I am new to AWS. It would be really helpful if steps were broadly explained. Thanks in advance. @Palakpatel67 @mickeysox
The new console is not able to create the role for you as that implementation has changed. If you look on the new console, step 2 of the new create wizard shows you the instance profile permissions you need to create. Here are the permissions you need:
Trusted entity ec2.amazonaws.com
Permissions
AWSElasticBeanstalkWebTier
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketAccess",
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-*",
"arn:aws:s3:::elasticbeanstalk-*/*"
]
},
{
"Sid": "XRayAccess",
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords",
"xray:GetSamplingRules",
"xray:GetSamplingTargets",
"xray:GetSamplingStatisticSummaries"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "CloudWatchLogsAccess",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
]
},
{
"Sid": "ElasticBeanstalkHealthAccess",
"Action": [
"elasticbeanstalk:PutInstanceStatistics"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:*:*:application/*",
"arn:aws:elasticbeanstalk:*:*:environment/*"
]
}
]
}
AWSElasticBeanstalkWorkerTier
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MetricsAccess",
"Action": [
"cloudwatch:PutMetricData"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "XRayAccess",
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords",
"xray:GetSamplingRules",
"xray:GetSamplingTargets",
"xray:GetSamplingStatisticSummaries"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "QueueAccess",
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:SendMessage"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "BucketAccess",
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-*",
"arn:aws:s3:::elasticbeanstalk-*/*"
]
},
{
"Sid": "DynamoPeriodicTasks",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:UpdateItem"
],
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:*:*:table/*-stack-AWSEBWorkerCronLeaderRegistry*"
]
},
{
"Sid": "CloudWatchLogsAccess",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
]
},
{
"Sid": "ElasticBeanstalkHealthAccess",
"Action": [
"elasticbeanstalk:PutInstanceStatistics"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:*:*:application/*",
"arn:aws:elasticbeanstalk:*:*:environment/*"
]
}
]
}
AWSElasticBeanstalkMulticontainerDocker
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECSAccess",
"Effect": "Allow",
"Action": [
"ecs:Poll",
"ecs:StartTask",
"ecs:StopTask",
"ecs:DiscoverPollEndpoint",
"ecs:StartTelemetrySession",
"ecs:RegisterContainerInstance",
"ecs:DeregisterContainerInstance",
"ecs:DescribeContainerInstances",
"ecs:Submit*"
],
"Resource": "*"
}
]
}
The comment from @jsheld helped me a lot, the problem when you are creating the EBS from AWS Console on step 2 the last input is this:
And is blank, in the picture has something because I've created, how? you have to go to IAM > Role:
Then you hit the blue button, then select EC2 and go to 2nd step:
Now you have to choose the permissions that are in the first pic when you click show all the permission or something like that, you only have to search for the permission's name not write the detail:
In this moment the only permissions are: AWSElasticBeanstalkWebTier, AWSElasticBeanstalkWorkerTier and AWSElasticBeanstalkMulticontainerDocker
When you create this role it's gonna create automatically the instace profile need in the 2nd step on EBS creation.
Hope it helps!
EDIT: Anyways, I just read the documentation and it explains it https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/GettingStarted.CreateApp.html
I run into a similar problem. I had to create the IAM instance profile manually using the command line and associate it with the necessary role.
aws iam create-instance-profile --instance-profile-name default-elasticbeanstalk-ec2-instance-profile
aws iam add-role-to-instance-profile --instance-profile-name default-elasticbeanstalk-ec2-instance-profile --role-name aws-elasticbeanstalk-ec2-role
I run into a similar problem. I had to create the IAM instance profile manually using the command line and associate it with the necessary role.
aws iam create-instance-profile --instance-profile-name default-elasticbeanstalk-ec2-instance-profile aws iam add-role-to-instance-profile --instance-profile-name default-elasticbeanstalk-ec2-instance-profile --role-name aws-elasticbeanstalk-ec2-role
Same thing, you can't create a elastic beanstalk environment from the aws web interface because of this. You need to manually create the instance profile by CLI.
