9

I'm logging into a role through SSO and I'm trying to create a new Elastic Beanstalk environment (newest tomcat if it matters) and I am getting the following error which is preventing me from even getting the environment started building:

(Namespace: 'aws:elasticbeanstalk:environment', OptionName: 'ServiceRole'): Invalid service role

This is happening even when I am trying to clone an existing environment. I've tried to auto generate a service role and to manually create one. Both are giving the error. This error does not happen when I am logging into a user with the same permissions.

thefroatgt
  • 896
  • 2
  • 12
  • 19
  • Are you logging in with an IAM user? Does your IAM user have `iam:PassRole` permission? Can you check the list of permissions required in your IAM user policy here: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles.html? – Rohit Banga Aug 13 '15 at 01:41
  • Also are you getting this error only in the AWS Management console or from the API/CLI as well? Can you try using the root account? – Rohit Banga Aug 13 '15 at 01:42
  • I am using the console and was logging into a role through a SSO provider. Logging into an actually account fixed the issue, but this isn't a long term option for security reasons, so I'll be continuing to investigate. – thefroatgt Aug 13 '15 at 11:49
  • We've been told by AWS support that there's a bug on their side that makes this fail with SSO. I'm on the same boat for now and will need to create temporary IAM users until they fix it. – sergiopereira Aug 13 '15 at 20:09

4 Answers4

15

When you clone an environment using the Elastic Beanstalk console, you have the option to choose a new platform and a service role. Service role is a new concept in beanstalk documented here. Service is not required if you are using basic health monitoring but it is required if you choose to use enhanced health monitoring.

When creating an environment you can choose to pass an IamInstanceProfile (typically named aws-elasticbeanstalk-ec2-role) and a service role (typically named aws-elasticbeanstalk-service-role). These two roles are required when using Enhanced Application Health Monitoring. Please note that these two roles require a completely a different set of permissions and you should use different roles for each of them. You can find the list of permissions required for Service Role and Instance profile documented here.

When creating/cloning/modifying environments using AWS console you will be shown an option to choose a service role. If you have never used a Service role before, you will be presented with an option to "Create a new role". The console allows you to create the Service role required by beanstalk using a single button click. You can view the permissions before creating the role.

After the first create, the console will present you with a dropdown with the role you created previously (typically named aws-elasticbeanstalk-service-role) and you can reuse this service role.

From the documentation: "A service role is the IAM role that Elastic Beanstalk assumes when calling other services on your behalf. Elastic Beanstalk uses the service role that you specify when creating an Elastic Beanstalk environment when it calls Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, and Auto Scaling APIs to gather information about the health of its AWS resources."

When creating/using a role you need to make sure the IAM user has pass role permission for the role you created. In case you are not using the root account make sure you have the correct policies for the IAM user. Note the iam:PassRole permission allows your IAM user to pass the role to beanstalk service.

Update

There was an issue with Single Sign On that has now been resolved. Please update here or in the AWS forum thread below if you are still seeing issues. AWS forum thread: https://forums.aws.amazon.com/thread.jspa?threadID=171369

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Rohit Banga
  • 18,458
  • 31
  • 113
  • 191
  • Thanks for the detailed response. We are hitting a similar wall as @thefroatgt, with the exact same behavior and workaround, i.e. it only works via an IAM user, but doesn't when assuming an IAM role. The latter applies to all three scenarios, cross account via the AWS console or via the AWS CLI (e.g. `update-environment`) and programmatically via the AWS SDK, so we start to think there might indeed be an issue on the AWS side for a change, rather than the usual permission issue on our part. We can reliably reproduce both scenarios in various accounts. Any other ideas? Thanks much! – Steffen Opel Aug 13 '15 at 18:22
  • One thing I noticed is that the trust relationship for the generated `aws-elasticbeanstalk-service-role` has a condition for `sts:ExternalId == elasticbeanstalk`. Conceptually I can see how this confused deputy protection might be considered useful, but haven't seen it facilitated by other auto generated roles yet. Out of desperation and speculation about different code paths that might not yet submit an `sts:ExternalId`, I have removed the condition for a bit, but not unexpectedly it doesn't make a difference either. – Steffen Opel Aug 13 '15 at 18:30
  • One more hurdle, even if you log in to a user to create an environment you can't view that environment on the console with a role, it kicks you back to the list of environments. – thefroatgt Aug 13 '15 at 19:31
  • 1
    For reference, this issue is experienced by an increasing number of users and e.g. discussed in [Error creating new Environment: "Invalid service role" (Elastic Beanstalk forum)](https://forums.aws.amazon.com/thread.jspa?threadID=212981&tstart=0) and [EB deployment OptionName: 'ServiceRole' (Utoolity Q&A forum)](https://utoolity.atlassian.net/wiki/questions/48234520/eb-deployment-optionname-servicerole). – Steffen Opel Aug 14 '15 at 13:16
  • 1
    @SteffenOpel should be fixed now. Please let us know if you are still seeing problems. – Rohit Banga Aug 22 '15 at 09:27
  • @RohitBanga - thanks for the update, much appreciated! We have confirmed that this works as expected now for us via the AWS Management Console, and also via the [Elastic Beanstalk environment task](https://utoolity.atlassian.net/wiki/display/TAWS/Using+the+AWS+Elastic+Beanstalk+Environment+task+in+Bamboo) in [Tasks for AWS](https://marketplace.atlassian.com/plugins/net.utoolity.atlassian.bamboo.tasks-for-aws). – Steffen Opel Aug 22 '15 at 15:21
4

I got the same error yesterday and a different one today using the same stack "Unable to assign role. Please verify that you have permission to pass this role: XXXXXX."

And I solved assigning this policy "AWSElasticBeanstalkFullAccess" to my user

Here you could read more: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles.html#concepts-roles-user

Abel ANEIROS
  • 6,029
  • 2
  • 25
  • 19
  • 1
    AWSElasticBeanstalkFullAccess does not exist on AWS. Most similar is AdministratorAccess-AWSElasticBeanstalk – Arturo Sep 20 '22 at 11:31
0

There seems to be a thread on aws support forum here: https://forums.aws.amazon.com/thread.jspa?messageID=670359

I am having the same issue when trying to access a beanstalk environment via crossaccount iam policy.

I think that logging into console with an IAM account that belongs to that particular AWS account with resolve the issue. Im certain AWS folks are working on it

Cmag
  • 14,946
  • 25
  • 89
  • 140
  • I was correct, issue linked to federated users. https://forums.aws.amazon.com/thread.jspa?threadID=212981. Bug fix coming soon – Cmag Aug 18 '15 at 21:46
0

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/iam-servicerole.html

Because of permission issues, the Elastic Beanstalk service doesn't always successfully create this service-linked role for you. Therefore, the console tries to explicitly create it. To ensure your account has this service-linked role, create an environment at least once using the console, and configure managed updates to be enabled before you create the environment.

When you start building environment please make sure following

enter image description here

  1. Create key pair in EC2 instance and note name
  2. Create role aws-elasticbeanstalk-service-role and add
  • AWSElasticBeanstalkEnhancedHealth
  • AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy
  1. Create Ebs-service-role and add
    • AWSElasticBeanstalkWebTier,
    • AWSElasticBeanstalkWorkerTier,
    • AWSElasticBeanstalkMulticontainerDocker

Now

  • Add Service role :aws-elasticbeanstalk-service-role
  • EC2 key your instance key name
  • Add EC2 instance profile :Ebs-service-role

If you want to create custom policy

AWSElasticBeanstalkWebTier

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "BucketAccess",
          "Action": [
            "s3:Get*",
            "s3:List*",
            "s3:PutObject"
          ],
          "Effect": "Allow",
          "Resource": [
            "arn:aws:s3:::elasticbeanstalk-*",
            "arn:aws:s3:::elasticbeanstalk-*/*"
          ]
        },
        {
          "Sid": "XRayAccess",
          "Action": [
            "xray:PutTraceSegments",
            "xray:PutTelemetryRecords",
            "xray:GetSamplingRules",
            "xray:GetSamplingTargets",
            "xray:GetSamplingStatisticSummaries"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Sid": "CloudWatchLogsAccess",
          "Action": [
            "logs:PutLogEvents",
            "logs:CreateLogStream",
            "logs:DescribeLogStreams",
            "logs:DescribeLogGroups"
          ],
          "Effect": "Allow",
          "Resource": [
            "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
          ]
        },
        {
          "Sid": "ElasticBeanstalkHealthAccess",
          "Action": [
            "elasticbeanstalk:PutInstanceStatistics"
          ],
          "Effect": "Allow",
          "Resource": [
            "arn:aws:elasticbeanstalk:*:*:application/*",
            "arn:aws:elasticbeanstalk:*:*:environment/*"
          ]
        }
      ]
    }

AWSElasticBeanstalkWorkerTier

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "MetricsAccess",
          "Action": [
            "cloudwatch:PutMetricData"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Sid": "XRayAccess",
          "Action": [
            "xray:PutTraceSegments",
            "xray:PutTelemetryRecords",
            "xray:GetSamplingRules",
            "xray:GetSamplingTargets",
            "xray:GetSamplingStatisticSummaries"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Sid": "QueueAccess",
          "Action": [
            "sqs:ChangeMessageVisibility",
            "sqs:DeleteMessage",
            "sqs:ReceiveMessage",
            "sqs:SendMessage"
          ],
          "Effect": "Allow",
          "Resource": "*"
        },
        {
          "Sid": "BucketAccess",
          "Action": [
            "s3:Get*",
            "s3:List*",
            "s3:PutObject"
          ],
          "Effect": "Allow",
          "Resource": [
            "arn:aws:s3:::elasticbeanstalk-*",
            "arn:aws:s3:::elasticbeanstalk-*/*"
          ]
        },
        {
          "Sid": "DynamoPeriodicTasks",
          "Action": [
            "dynamodb:BatchGetItem",
            "dynamodb:BatchWriteItem",
            "dynamodb:DeleteItem",
            "dynamodb:GetItem",
            "dynamodb:PutItem",
            "dynamodb:Query",
            "dynamodb:Scan",
            "dynamodb:UpdateItem"
          ],
          "Effect": "Allow",
          "Resource": [
            "arn:aws:dynamodb:*:*:table/*-stack-AWSEBWorkerCronLeaderRegistry*"
          ]
        },
        {
          "Sid": "CloudWatchLogsAccess",
          "Action": [
            "logs:PutLogEvents",
            "logs:CreateLogStream"
          ],
          "Effect": "Allow",
          "Resource": [
            "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
          ]
        },
        {
          "Sid": "ElasticBeanstalkHealthAccess",
          "Action": [
            "elasticbeanstalk:PutInstanceStatistics"
          ],
          "Effect": "Allow",
          "Resource": [
            "arn:aws:elasticbeanstalk:*:*:application/*",
            "arn:aws:elasticbeanstalk:*:*:environment/*"
          ]
        }
      ]
    }

AWSElasticBeanstalkMulticontainerDocker

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "ECSAccess",
          "Effect": "Allow",
          "Action": [
            "ecs:Poll",
            "ecs:StartTask",
            "ecs:StopTask",
            "ecs:DiscoverPollEndpoint",
            "ecs:StartTelemetrySession",
            "ecs:RegisterContainerInstance",
            "ecs:DeregisterContainerInstance",
            "ecs:DescribeContainerInstances",
            "ecs:Submit*"
          ],
          "Resource": "*"
        }
      ]
    }

At the end add following inline policy into Ec2 role

        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "ElasticBeanstalkHealthAccess",
                    "Action": [
                        "elasticbeanstalk:PutInstanceStatistics"
                    ],
                    "Effect": "Allow",
                    "Resource": [
                        "arn:aws:elasticbeanstalk:*:*:application/*",
                        "arn:aws:elasticbeanstalk:*:*:environment/*"
                    ]
                }
            ]
        }

And

           {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "elasticbeanstalk:CheckForUpdate"
                    ],
                    "Resource": "*"
                }
            ]
        }
vaquar khan
  • 10,864
  • 5
  • 72
  • 96