4

I've created maybe 10 Elastic Beanstalk environments with a connected RDS database, but for some reason on this application I'm unable to add an RDS database to my elastic beanstalk environment.

I'm adding the RDS database through the Elastic Beanstalk UI with Configuration > Database. The error seems to stem around my root user not being able to create an RDS DB Security Group. The event logs show:

INFO: Environment update is starting.
INFO: Updating environment pscope-api-prod's configuration settings.
ERROR: Service:AmazonCloudFormation, Message:Stack named 'awseb-e-rmu57hh9tz-stack' aborted operation. Current state: 'UPDATE_ROLLBACK_IN_PROGRESS' Reason: The following resource(s) failed to create: [AWSEBRDSDBSecurityGroup].
ERROR: Creating RDS database security group named: awseb-e-rmu57hh9tz-stack-awsebrdsdbsecuritygroup-gpqdtr1kvf7z failed Reason: Either the resource does not exist, or you do not have the required permissions.
ERROR: Failed to deploy configuration.
INFO: Deleted RDS database security group named: awseb-e-rmu57hh9tz-stack-awsebrdsdbsecuritygroup-gpqdtr1kvf7z
INFO: The environment was reverted to the previous configuration setting.

After this is done, no database was created and everything is reverted to how it was before trying to add the RDS database.

Things I've tried:

  • I'm trying to add this database as the root user, but have also tried creating an IAM user with Administrator privileges and get the same error.
  • I've also tried deleting the entire application and environment and recreating, but I get the same error.
  • I usually create with eb-cli with eb create, but I've also tried creating via the dashboard UI and get the same error.
awwester
  • 267
  • 1
  • 3
  • 14
  • Beanstalk uses CloudFormation to build and sync resources. I would suggest performing your update, then heading over to stack 'awseb-e-rmu57hh9tz-stack' and watch the CloudFormation events. Make sure the stack role has permissions to create the DB security group resources. You should be able to find more information. Next see if you can create a DB security group manually. If you can, try assuming the Beanstalk service role with the assume-role call and creating one too. https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html – Brandon Jul 14 '18 at 22:07

4 Answers4

7

I'm new to AWS and had the same problem when trying to create and add a new database from the Elastic Bean Management Console.

It was fixed after adding the AWSServiceRoleForRDS - role in IAM. Go to IAM --> Roles --> Create role --> AWS Service:

Select RDS, and RDS use case. Click on "Next:Permissions". There you'll see that the AmazoneRDSServiceRolePolicy has been added. Click Next:Review --> Create Role.

And you're done. Try creating a database from the Elastic Beanstalk Management Console now. It should work now.

Nicolaj
  • 86
  • 2
  • Thanks, @Nicolaj. Luckily you posted this. It is puzzling why Elastic Beanstalk doesn't do this for you as it has an interface to add an RDS instance and falls over immediately when trying to do so. – MSC Aug 16 '18 at 07:11
  • 2
    Any idea why this is required? My user already had admin-level access... – MSC Aug 16 '18 at 10:54
  • It seems that the policy `AWSServiceRoleForRDS` does no longer exist. [This answer](https://serverfault.com/a/935139/512490) is still applicable, though. – blubb Mar 01 '19 at 17:34
3

My problem was clicking Apply at the bottom of the RDS page instead of Continue. After clicking Continue, I was able to see the message telling me to assign two subnets to the database. After doing that and clicking Apply, everything worked fine.

Sinjai
  • 131
  • 5
1

Apparently when you've run eb create (I guess without specifying any database), the required roles automatically created for your IAM User are missing the required role to allow RDS make changes.

Creating a new role for RDS service in your IAM Management console will "Allow RDS to perform operations using AWS resources on your behalf." after checking the permissions and ensuring that AmazonRDSServiceRolePolicy is on the list, a AWSServiceRoleForRDS will be added to the list and hopefully solve your trouble.

m3d14n0
  • 11
  • 2
0

Had the exact same issue and after some googling found that adding the AWSServiceRoleForRDS role fixed the issue.

Kiran Raja
  • 1
  • If you elaborated a bit, your answer would be more useful. The goal is to have a Q&A which is useful in the future for anyone facing similar issues. – Jeter-work Aug 10 '18 at 18:06