Reputation: 603
AWS Beanstalk - getting "Access denied while accessing Auto Scaling and ..." error
When I try to launch an Elastic Beanstalk environment from the command line, I get this error during the process:
Environment health has transitioned from Pending to Warning. Access denied while accessing Auto Scaling and Elastic Load Balancing using role "arn:aws:iam::XXXXXXXXXX:role/aws-elasticbeanstalk-service-role". Verify the role policy.
When I launch it from the console, I do not get this warning. I have tried to replicate the same AWS console configuration from the CLI , but I still get this error.
Any clue what's going on?
Upvotes: 16
Views: 12546
Answers (4)
Reputation: 81
If anyone can not solve the error whit the previous actions what I had to do is:
- Add to aws-elasticbeanstalk-service-role the following policies AutoScalingFullAccess | ElasticLoadBalancingFullAccess
- Not re-start but build the environment again
(after a while it kept launching the error)
Then I added:
- AdministratorAccess-AWSElasticBeanstalk (again to aws-elasticbeanstalk-service-role)
- Re-build the environment again
It is working at the moment.
Upvotes: 1
Reputation: 279
If anyone is still getting a similar error and is still unsure how to solve it
- Navigate to IAM in the AWS Console.
- Navigate to the aws-elasticbeanstalk-service-role (under Access Management > Roles).
- Attach the following policies:
- AutoScalingFullAccess
- ElasticLoadBalancingFullAccess
I then rebuilt the environment, no more errors!
The following article helped me understand this better: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles-service.html
Upvotes: 26
Reputation: 187
You can go to your IAM console. You will see the "aws-elasticbeanstalk-service-role", Under the permission tab, you can grant the specific you want to give the policy on your behalf. Refresh and you should have "Ok". Make sure the permission you grant the role can manage this " Auto Scaling and Elastic Load Balancing using role"
Upvotes: 7
Reputation: 18918
Elastic Beanstalk now uses a Service Role to call other AWS services on your behalf. The IAM role is created in your account and you give permissions to launch Service role is optional but recommended for new environments.
Especially for enhanced health monitoring (which is what your using based on the error message), service role is mandatory. A misconfigured service role can lead to this error message.
The console experience makes it very easy for you to create/use the role with the correct permissions. This is because you just need to select the correct role from the dropdown (if the role already exists) when using the create environment wizard.
When using the CLI you need to pass the service role option setting. (namespace: aws:elasticbeanstalk:environment, option_name: ServiceRole). You can find the required permissions for a role configured in this documentation.
There are some more details about service role in my previous stack overflow answer here.
Upvotes: 6
Related Questions
- Elastic Beanstalk without Elastic Load Balancer
- AWS Elastic Beanstalk Error when creating environment. "There are no instances. Unable to assume role XXXXX."
- Initialization completed but access denied for Auto Scaling with Beanstalk service role
- JAVA -AWS ACCESS S3 BUCKET FROM JAVA APPLICATION ON ELASTIC BEANSTALK
- Deploying to AWS Elastic Beanstalk using AWS CodeBuild and EB CLI