Reputation: 6131
Elastic Beanstalk service role not granted permission from additional Policy attached
I am using AWS secrets manager and have created a policy permitting programmatic access to a certain set of secrets. I created a new user and attached that and only that policy to the user, and am able to interact with the secrets perfectly.
Inside Elastic Beanstalk I tested this by manually setting the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as environment variables on the Elastic Beanstalk. When running via this method everything works great. I don't want to expose the secret access key to any developer with access the console so I want instead to attach that policy to the Elastic Beanstalk service role
So I created a new elastic beanstalk service role for my application, attached my the same policy, and then set EB to use that new service role, per below details.
Since it works great when I set the environment vars on EB for aws keys, but doens't work when I attach to the service role, I must assume it's not related to my policy, but just in case here is the full policy details.
I'm not sure what I could be missing? Is it related to the Virtual Machine permissions? Or did I somehow configure my policy incorrectly?
Service role details contains the two managed policies from AWSElasticBeanstalkEnhancedHealth and AWSElasticBeanstalkService plus my custom role for pre-prod access
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:123456789:secret:ASDFG",
"arn:aws:secretsmanager:us-east-1:123456789:secret:QWERT"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword",
"secretsmanager:ListSecrets"
],
"Resource": "*"
}
]
}
The aws-elasticbeanstalk-ec2-role is fully default and looks like this
Thanks in advance!
Upvotes: 2
Views: 1767
Answers (1)
Reputation: 6131
Turns out it was the Virtual Machine permissions. I just created a new service role, copied the policies from aws-elasticbeanstalk-ec2-role, added my custom policy for secrets manager, and then set the Virtual Machine IAM instance profile to use that new role, et voila!
Upvotes: 4
Related Questions
- AWS Elastic Beanstalk ServiceRole Error When Logging In To A Role
- AWS - IAM User Role Permissions are not Propagating to User
- AWS Policy not respecting
- AWS IAM policy permissions clash issue
- AWS - Elasticbeanstalk - Issue in Role's policy
- Add AmazonEC2ContainerRegistryReadOnly managed policy to role using AWS CLI
- IAM role fails to give permission to an EC2 instance
- Adding permission to IAM role
- Restrict AWS Elastic Beanstalk IAM Role to full access for one Application
- Assign role to instance in .ebextensions