14

When I try to launch an Elastic Beanstalk environment from the command line, I get this error during the process:

Environment health has transitioned from Pending to Warning. Access denied while accessing Auto Scaling and Elastic Load Balancing using role "arn:aws:iam::XXXXXXXXXX:role/aws-elasticbeanstalk-service-role". Verify the role policy.

When I launch it from the console, I do not get this warning. I have tried to replicate the same AWS console configuration from the CLI , but I still get this error.

Any clue what's going on?

Bill_Flanders
  • 563
  • 2
  • 7
  • 19
  • I just ran into a similar issue. I'm using terraform to create the service role, and the 'aws_iam_role_policy_attchment' is used to attach managed policies. But the attachment is a separate resource. I'm guessing that the role is being created first, then the environment is deployed before the policies are attached. This can be solved with some explicit dependencies. It could be the same situation with CloudFormation as well. – Matimus Mar 17 '22 at 17:52

4 Answers4

24

If anyone is still getting a similar error and is still unsure how to solve it

  1. Navigate to IAM in the AWS Console.
  2. Navigate to the aws-elasticbeanstalk-service-role (under Access Management > Roles).
  3. Attach the following policies:
    • AutoScalingFullAccess
    • ElasticLoadBalancingFullAccess

I then rebuilt the environment, no more errors!

The following article helped me understand this better: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles-service.html

Eskay Amadeus
  • 275
  • 2
  • 11
Eric Geerts
  • 259
  • 2
  • 6
7

You can go to your IAM console. You will see the "aws-elasticbeanstalk-service-role", Under the permission tab, you can grant the specific you want to give the policy on your behalf. Refresh and you should have "Ok". Make sure the permission you grant the role can manage this " Auto Scaling and Elastic Load Balancing using role"

Aransiola Oluwaseun
  • 177
  • 2
  • 8
6

Elastic Beanstalk now uses a Service Role to call other AWS services on your behalf. The IAM role is created in your account and you give permissions to launch Service role is optional but recommended for new environments.

Especially for enhanced health monitoring (which is what your using based on the error message), service role is mandatory. A misconfigured service role can lead to this error message.

The console experience makes it very easy for you to create/use the role with the correct permissions. This is because you just need to select the correct role from the dropdown (if the role already exists) when using the create environment wizard.

When using the CLI you need to pass the service role option setting. (namespace: aws:elasticbeanstalk:environment, option_name: ServiceRole). You can find the required permissions for a role configured in this documentation.

There are some more details about service role in my previous stack overflow answer here.

Community
  • 1
  • 1
Rohit Banga
  • 18,458
  • 31
  • 113
  • 191
0

If anyone can not solve the error whit the previous actions what I had to do is:

  1. Add to aws-elasticbeanstalk-service-role the following policies AutoScalingFullAccess | ElasticLoadBalancingFullAccess
  2. Not re-start but build the environment again

(after a while it kept launching the error)

Then I added:

  • AdministratorAccess-AWSElasticBeanstalk (again to aws-elasticbeanstalk-service-role)
  • Re-build the environment again

It is working at the moment.

Edgar Gago Carrillo
  • 61
  • 1
  • 6