Login/Register
Elastic Beanstalk Environment Creation Error due to disabled ACLs in S3 bucket
Asked Answered
Solved amazon-s3amazon-elastic-beanstalkacl
F

1

9

I am creating a new Elastic Beanstalk environment using command line with the eb create command in a region I haven't targeted before (us-east-2). As a result, the Elastic Beanstalk process created a new S3 bucket. However, the process failed with the following error: "Service:Amazon S3, Message:The bucket does not allow ACLs".

2023-04-18 21:44:58    INFO    createEnvironment is starting.
2023-04-18 21:44:59    INFO    Using elasticbeanstalk-us-east-2-275540591990 as Amazon S3 storage bucket for environment data.
2023-04-18 21:45:00    ERROR   Service:Amazon S3, Message:The bucket does not allow ACLs
2023-04-18 21:45:00    ERROR   Failed to launch environment.

I confirmed in the AWS Console that the S3 bucket listed above indeed has ACLs disabled, which is the new default setting for new S3 buckets in April 2023 (more info: https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html). It seems that one method to make this work again is to enable the ACLs in the AWS Console for this bucket (elasticbeanstalk-us-east-2-275540591990). However, is re-enabling ACLs the recommended way to resolve this for Elastic Beanstalk? Or is the recommended way to keep using Object Ownership (ACLs disabled) since the AWS documentation suggests that?

I tried creating a bucket policy in IAM that gives read/write/list permissions to the bucket, and attached it to the "aws-elasticbeanstalk-service-role." Then I re-attempted to the creation (eb create) again. However, it failed with the exact same error. I notice there is also a " aws-elasticbeanstalk-ec2-role," but my hunch was that wouldn't resolve the error. Any help is greatly appreciated.

Edit: I confirmed that this started working again when I re-enabled the ACLs for the bucket and re-executed the eb create command. So, currently I am operating under the assumption that Elastic Beanstalk requires the ACLs to be enabled for the bucket where it is storing configuration. If this is the case, it would be a helpful note to add on their documentation.

Edit2: To activate ACLs on the bucket in the AWS Console, navigate to S3, then click on the bucket shown in the warning (i.e. "elasticbeanstalk-us-east-2-275540591990" in this example). Then, click the "Permissions" tab, and scroll to the "Object Ownership" section. It will show "Bucket owner enforced...ACLs are disabled.". Click the "Edit" button on the right, activate "ACLs enabled", and then click the checkbox to "I acknowledge that ACLs will be restored" and finally "Save changes". Afterwards, running the eb create command should be successful.

Falkirk answered 18/4, 2023 at 22:16 Comment(8)
I had the same issue until I logged into the console as root. As root, the new environment and application started without error.Kartis
I have the same problem. Tested in an AWS Academy Learner Lab. The initial creation of the BeanStalk App from the console works and deploys the sample app, but when I try to update my code (using github.com/marketplace/actions/beanstalk-deploy), it fails with the message "Service:Amazon S3, Message:The bucket does not allow ACLs". If I enable ACLs in the bucket, it works.Rare
Hi. Can you please share the command to " enable the ACLs in the AWS Console" ?Sicklebill
Hi, @Eyalk. It's this: aws s3api put-bucket-ownership-controls --bucket ELASTIC_BEANSTALK_BUCKET_NAME --ownership-controls Rules=[{ObjectOwnership=BucketOwnerPreferred}]Rare
It is a really annoying error message that does not allow me to deploy my application. I am also getting this when changing region. In my default region I do not get that message using the same S3 bucketElspeth
@Sicklebill I just edited my question with Edit2 to include the instructions for how to activate the ACLs through the AWS Console.Falkirk
@Elspeth When you switch to another region, another bucket is created for Beanstalk. New buckets are created with ACLs disabled. In your default region, the S3 bucket was previously created: that's the reason why it had ACLs enabled.Rare
Thank you @PedroPrieto. ACLs are disabled in my default region and everything works fine. I get the error only when trying to deploy in another regionElspeth
T
2

Solution

Steps:

  1. Login to AWS
  2. Go to S3
  3. Click on your EB bucket format: elasticbeanstalk-{region}-{accountNumber}
  4. Navigate to "Permissions"
  5. Go down to "Object Ownership"
  6. Click Edit, and switch to "ACLs enabled"
  7. Click the checkbox next to "I acknowledge that ACLs will be restored"
  8. Save changes
  9. It should work or at least give you a different error

Context: The solution is to add a bucket ACL to your elasticbeanstalk S3 bucket. The steps for the solution are below. This has to be done with the accounts elasticbeanstalk S3 bucket. For example, change the ACL's on elasticbeanstalk-{region}-{accountNumber} and NOT necessarily the bucket where you deploy. Specifically, I was using a Bitbucket pipeline to deploy my elastic beanstalk application to my own S3 bucket. The ACL's on the bucket where you have the application does not matter. You just have to enable ACL's on the EB bucket and it should work. Also, I'm not sure if it was a fluke, but I had to change the settings twice, so I would double check that the S3 bucket really does have ACL's enabled if it still errors out.

Truelove answered 30/4, 2023 at 22:25 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.