AWS Elastic Beanstalk ServiceRole Error When Logging In To A Role

Asked 13/8, 2015 at 0:8 Answered 28/7, 2023 at 6:24

amazon-web-services amazon-elastic-beanstalk

I'm logging into a role through SSO and I'm trying to create a new Elastic Beanstalk environment (newest tomcat if it matters) and I am getting the following error which is preventing me from even getting the environment started building:

(Namespace: 'aws:elasticbeanstalk:environment', OptionName: 'ServiceRole'): Invalid service role

This is happening even when I am trying to clone an existing environment. I've tried to auto generate a service role and to manually create one. Both are giving the error. This error does not happen when I am logging into a user with the same permissions.

Banbury answered 13/8, 2015 at 0:8 Comment(4)

Are you logging in with an IAM user? Does your IAM user have iam:PassRole permission? Can you check the list of permissions required in your IAM user policy here: docs.aws.amazon.com/elasticbeanstalk/latest/dg/…? – Kagoshima 13/8, 2015 at 1:41

Also are you getting this error only in the AWS Management console or from the API/CLI as well? Can you try using the root account? – Kagoshima 13/8, 2015 at 1:42

I am using the console and was logging into a role through a SSO provider. Logging into an actually account fixed the issue, but this isn't a long term option for security reasons, so I'll be continuing to investigate. – Banbury 13/8, 2015 at 11:49

We've been told by AWS support that there's a bug on their side that makes this fail with SSO. I'm on the same boat for now and will need to create temporary IAM users until they fix it. – Tucket 13/8, 2015 at 20:9

When you clone an environment using the Elastic Beanstalk console, you have the option to choose a new platform and a service role. Service role is a new concept in beanstalk documented here. Service is not required if you are using basic health monitoring but it is required if you choose to use enhanced health monitoring.

When creating an environment you can choose to pass an IamInstanceProfile (typically named aws-elasticbeanstalk-ec2-role) and a service role (typically named aws-elasticbeanstalk-service-role). These two roles are required when using Enhanced Application Health Monitoring. Please note that these two roles require a completely a different set of permissions and you should use different roles for each of them. You can find the list of permissions required for Service Role and Instance profile documented here.

When creating/cloning/modifying environments using AWS console you will be shown an option to choose a service role. If you have never used a Service role before, you will be presented with an option to "Create a new role". The console allows you to create the Service role required by beanstalk using a single button click. You can view the permissions before creating the role.

After the first create, the console will present you with a dropdown with the role you created previously (typically named aws-elasticbeanstalk-service-role) and you can reuse this service role.

From the documentation: "A service role is the IAM role that Elastic Beanstalk assumes when calling other services on your behalf. Elastic Beanstalk uses the service role that you specify when creating an Elastic Beanstalk environment when it calls Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, and Auto Scaling APIs to gather information about the health of its AWS resources."

When creating/using a role you need to make sure the IAM user has pass role permission for the role you created. In case you are not using the root account make sure you have the correct policies for the IAM user. Note the iam:PassRole permission allows your IAM user to pass the role to beanstalk service.

Update

There was an issue with Single Sign On that has now been resolved. Please update here or in the AWS forum thread below if you are still seeing issues. AWS forum thread: https://forums.aws.amazon.com/thread.jspa?threadID=171369

Kagoshima answered 13/8, 2015 at 2:34 Comment(6)

Thanks for the detailed response. We are hitting a similar wall as @thefroatgt, with the exact same behavior and workaround, i.e. it only works via an IAM user, but doesn't when assuming an IAM role. The latter applies to all three scenarios, cross account via the AWS console or via the AWS CLI (e.g. update-environment) and programmatically via the AWS SDK, so we start to think there might indeed be an issue on the AWS side for a change, rather than the usual permission issue on our part. We can reliably reproduce both scenarios in various accounts. Any other ideas? Thanks much! – Jackstraws 13/8, 2015 at 18:22

One thing I noticed is that the trust relationship for the generated aws-elasticbeanstalk-service-role has a condition for sts:ExternalId == elasticbeanstalk. Conceptually I can see how this confused deputy protection might be considered useful, but haven't seen it facilitated by other auto generated roles yet. Out of desperation and speculation about different code paths that might not yet submit an sts:ExternalId, I have removed the condition for a bit, but not unexpectedly it doesn't make a difference either. – Jackstraws 13/8, 2015 at 18:30

One more hurdle, even if you log in to a user to create an environment you can't view that environment on the console with a role, it kicks you back to the list of environments. – Banbury 13/8, 2015 at 19:31

For reference, this issue is experienced by an increasing number of users and e.g. discussed in Error creating new Environment: "Invalid service role" (Elastic Beanstalk forum) and EB deployment OptionName: 'ServiceRole' (Utoolity Q&A forum). – Jackstraws 14/8, 2015 at 13:16

@SteffenOpel should be fixed now. Please let us know if you are still seeing problems. – Kagoshima 22/8, 2015 at 9:27

@RohitBanga - thanks for the update, much appreciated! We have confirmed that this works as expected now for us via the AWS Management Console, and also via the Elastic Beanstalk environment task in Tasks for AWS. – Jackstraws 22/8, 2015 at 15:21

I got the same error yesterday and a different one today using the same stack "Unable to assign role. Please verify that you have permission to pass this role: XXXXXX."

And I solved assigning this policy "AWSElasticBeanstalkFullAccess" to my user

Here you could read more: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles.html#concepts-roles-user

Frank answered 19/8, 2015 at 9:9 Comment(1)

AWSElasticBeanstalkFullAccess does not exist on AWS. Most similar is AdministratorAccess-AWSElasticBeanstalk – Mincey 20/9, 2022 at 11:31

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/iam-servicerole.html

Because of permission issues, the Elastic Beanstalk service doesn't always successfully create this service-linked role for you. Therefore, the console tries to explicitly create it. To ensure your account has this service-linked role, create an environment at least once using the console, and configure managed updates to be enabled before you create the environment.

When you start building environment please make sure following

Create key pair in EC2 instance and note name
Create role aws-elasticbeanstalk-service-role and add

AWSElasticBeanstalkEnhancedHealth
AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy

Create Ebs-service-role and add
- AWSElasticBeanstalkWebTier,
- AWSElasticBeanstalkWorkerTier,
- AWSElasticBeanstalkMulticontainerDocker

Now

Add Service role :aws-elasticbeanstalk-service-role
EC2 key your instance key name
Add EC2 instance profile :Ebs-service-role

If you want to create custom policy

AWSElasticBeanstalkWebTier

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "BucketAccess",
          "Action": [
            "s3:Get*",
            "s3:List*",
            "s3:PutObject"
          ],
          "Effect": "Allow",
          "Resource": [
            "arn:aws:s3:::elasticbeanstalk-*",
            "arn:aws:s3:::elasticbeanstalk-*/*"
          ]
        },
        {
          "Sid": "XRayAccess",
          "Action": [
            "xray:PutTraceSegments",
            "xray:PutTelemetryRecords",
            "xray:GetSamplingRules",
            "xray:GetSamplingTargets",
            "xray:GetSamplingStatisticSummaries"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Sid": "CloudWatchLogsAccess",
          "Action": [
            "logs:PutLogEvents",
            "logs:CreateLogStream",
            "logs:DescribeLogStreams",
            "logs:DescribeLogGroups"
          ],
          "Effect": "Allow",
          "Resource": [
            "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
          ]
        },
        {
          "Sid": "ElasticBeanstalkHealthAccess",
          "Action": [
            "elasticbeanstalk:PutInstanceStatistics"
          ],
          "Effect": "Allow",
          "Resource": [
            "arn:aws:elasticbeanstalk:*:*:application/*",
            "arn:aws:elasticbeanstalk:*:*:environment/*"
          ]
        }
      ]
    }

AWSElasticBeanstalkWorkerTier

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "MetricsAccess",
          "Action": [
            "cloudwatch:PutMetricData"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Sid": "XRayAccess",
          "Action": [
            "xray:PutTraceSegments",
            "xray:PutTelemetryRecords",
            "xray:GetSamplingRules",
            "xray:GetSamplingTargets",
            "xray:GetSamplingStatisticSummaries"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Sid": "QueueAccess",
          "Action": [
            "sqs:ChangeMessageVisibility",
            "sqs:DeleteMessage",
            "sqs:ReceiveMessage",
            "sqs:SendMessage"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Sid": "BucketAccess",
          "Action": [
            "s3:Get*",
            "s3:List*",
            "s3:PutObject"
          ],
          "Effect": "Allow",
          "Resource": [
            "arn:aws:s3:::elasticbeanstalk-*",
            "arn:aws:s3:::elasticbeanstalk-*/*"
          ]
        },
        {
          "Sid": "DynamoPeriodicTasks",
          "Action": [
            "dynamodb:BatchGetItem",
            "dynamodb:BatchWriteItem",
            "dynamodb:DeleteItem",
            "dynamodb:GetItem",
            "dynamodb:PutItem",
            "dynamodb:Query",
            "dynamodb:Scan",
            "dynamodb:UpdateItem"
          ],
          "Effect": "Allow",
          "Resource": [
            "arn:aws:dynamodb:*:*:table/*-stack-AWSEBWorkerCronLeaderRegistry*"
          ]
        },
        {
          "Sid": "CloudWatchLogsAccess",
          "Action": [
            "logs:PutLogEvents",
            "logs:CreateLogStream"
          ],
          "Effect": "Allow",
          "Resource": [
            "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
          ]
        },
        {
          "Sid": "ElasticBeanstalkHealthAccess",
          "Action": [
            "elasticbeanstalk:PutInstanceStatistics"
          ],
          "Effect": "Allow",
          "Resource": [
            "arn:aws:elasticbeanstalk:*:*:application/*",
            "arn:aws:elasticbeanstalk:*:*:environment/*"
          ]
        }
      ]
    }

AWSElasticBeanstalkMulticontainerDocker

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "ECSAccess",
          "Effect": "Allow",
          "Action": [
            "ecs:Poll",
            "ecs:StartTask",
            "ecs:StopTask",
            "ecs:DiscoverPollEndpoint",
            "ecs:StartTelemetrySession",
            "ecs:RegisterContainerInstance",
            "ecs:DeregisterContainerInstance",
            "ecs:DescribeContainerInstances",
            "ecs:Submit*"
          ],
          "Resource": "*"
        }
      ]
    }

At the end add following inline policy into Ec2 role

        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "ElasticBeanstalkHealthAccess",
                    "Action": [
                        "elasticbeanstalk:PutInstanceStatistics"
                    ],
                    "Effect": "Allow",
                    "Resource": [
                        "arn:aws:elasticbeanstalk:*:*:application/*",
                        "arn:aws:elasticbeanstalk:*:*:environment/*"
                    ]
                }
            ]
        }

And

           {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "elasticbeanstalk:CheckForUpdate"
                    ],
                    "Resource": "*"
                }
            ]
        }

Germiston answered 28/7, 2023 at 6:24 Comment(0)

There seems to be a thread on aws support forum here: https://forums.aws.amazon.com/thread.jspa?messageID=670359

I am having the same issue when trying to access a beanstalk environment via crossaccount iam policy.

I think that logging into console with an IAM account that belongs to that particular AWS account with resolve the issue. Im certain AWS folks are working on it

Conversational answered 18/8, 2015 at 21:15 Comment(1)

I was correct, issue linked to federated users. forums.aws.amazon.com/thread.jspa?threadID=212981. Bug fix coming soon – Conversational 18/8, 2015 at 21:46

Recommended topics

Hot tags