Reputation: 1035
Assign role to instance in .ebextensions
tl;dr Instance gets assumed-role instead of what I set in configuration.
I deploy a java application in docker into elastic-beanstalk; I actually set a specific role with my custom policies in .ebextensions/instance.config:
- namespace: aws:autoscaling:launchconfiguration
option_name: IamInstanceProfile
value: custom-profile
When I deploy with eb init && eb create --tier worker everything is okay. Then the application tries to access stuff, which is allowed in custom-profile, but it fails with:
Exception in thread "main" com.amazonaws.AmazonServiceException: User: arn:aws:sts::***:assumed-role/aws-elasticbeanstalk-ec2-role/*** is not authorized to perform: ...
It doesn't even mention the reason why it uses an "assumed role". Interestingly, when I set the role manually in the web console and upload the zip, it works.
I've tried using SingleInstance and LoadBalanced, both to the same result. I've read the docs and googled, but found nothing that would work. I've added the PassRole priviledge to my console user, but I don't even know, if it helps anything. The config is accepted as valid, but while the EC2 instance is created I don't have any info as to why it's not assigned the right role.
I'll be thankful for your advice.
Notes: new InstanceProfileCredentialsProvider() is used in Java.
Upvotes: 3
Views: 1446
Answers (2)
Reputation: 15765
The EB CLI tells Elastic Beanstalk to use the "aws-elasticbeanstalk-ec2-role" instance profile. This will override your ebextensions. In order to use your own profile, you can either use the "-ip" option or you can use a default saved configuration.
eb create --tier worker -ip custom-profile
If you want to do this with saved configurations instead, see this blog post.
Upvotes: 4
Reputation: 18916
Two possibilities
Did you commit your .ebextension file to the git repo? Most likely you did but just double checking.
The other possibility is that when you run eb init and eb create it sets up the defaults for you in a different conf file. These defaults include the IamInstanceProfile. In the interactive mode you get to choose the role name otherwise it picks the default name. eb passes default option settings via the api. Your ebextensions also specify the same option setting with a different value. In case of a conflict the api wins and overrides the song in your ebextension. I think this is what might be happening. Can you try specifying your role name when calling eb init/create in the interactive mode? That way your role will be used instead of the default one.
Upvotes: 1
Related Questions
- IAM Roles and instance profile
- AWS Elastic Beanstalk ServiceRole Error When Logging In To A Role
- How to add an IAM role to an existing instance in AWS?
- AWS - Elasticbeanstalk - Issue in Role's policy
- Elastic Beanstalk service role not granted permission from additional Policy attached
- Applying IAM roles to ECS instances
- AWS: How do I programmatically add a role to an instance?
- How to apply IAM Role to EC2 instance?
- AWS eb create - unable to find role
- How can we apply IAM Roles to an ec2 instance?