4

I created my Dockerrun.aws.json file and uploaded it during the creation of my Beanstalk (docker) environment. I also uploaded the .dockercfg file created by the "docker login" command into the S3 bucket specified in the Dockerrun.aws.json configuration.

However, when I attempt to start-up the environment I receive the error (bottom of post) stating that the EC2 instance doesn't have access to the .dockercfg file in the bucket. How do I make sure the beanstalk application can access the config json file in the provided S3 bucket?

Thanks! (error below)

i-64c62de7  Severe  1 day   -   -   -   -   -   -   -   -   -   -   0.00    0.01    0.3 0.0 0.0 99.6    0.1
    Application deployment failed at 2016-02-27T04:30:54Z with exit status 1 and error: Hook /opt/elasticbeanstalk/hooks/appdeploy/pre/03build.sh failed.

Traceback (most recent call last):
File "/opt/elasticbeanstalk/containerfiles/support/download_auth.py", line 18, in 
download_auth(argv[1], argv[2], get_instance_identity()['document']['region'])
File "/opt/elasticbeanstalk/containerfiles/support/download_auth.py", line 15, in download_auth
key.get_contents_to_filename('/root/.dockercfg')
File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 1712, in get_contents_to_filename
response_headers=response_headers)
File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 1650, in get_contents_to_file
response_headers=response_headers)
File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 1482, in get_file
query_args=None)
File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 1514, in _get_file_internal
override_num_retries=override_num_retries)
File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 343, in open
override_num_retries=override_num_retries)
File "/usr/lib/python2.7/dist-packages/boto/s3/key.py", line 303, in open_read
self.resp.reason, body)
boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?>
AccessDeniedAccess Denied910AD275D3E3110A682j0cjMsfurjyy/PGT3W9wRxI+4sh+rrESuw2WpInERcn4p4f9XGwBFdpBmDYQc
Failed to download authentication credentials dockercfg from my-s3-bucket.
Brian FitzGerald
  • 3,041
  • 3
  • 28
  • 38

2 Answers2

7

You have to make sure the AIM role you are using has access to your bucket and key. Something like

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BucketAccess",
            "Effect": "Allow",
            "Action": [
                "s3:List*",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket"
            ]
        },
        {
            "Sid": "S3ObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*",
                "s3:List*"
            ],
            "Resource": [
               "arn:aws:s3:::mybucket/*"
            ]
        }
   ]
}

If you are not doing this, you should be pointing to a IAM from your .ebextensions rather than allowing EB to be creating its own, so you can control this

- namespace: aws:autoscaling:launchconfiguration
  option_name: IamInstanceProfile
  value: arn:aws:iam::xxxxxxxxx:instance-profile/yourRole
dkarchmer
  • 5,434
  • 4
  • 24
  • 37
  • Are you saying I need BOTH the configuration changes to `Dockerrun.aws.json` AND the custom .ebextensions file, or ONE of the two? Thank you, just want to make sure I understand correctly. – Brian FitzGerald Feb 28 '16 at 20:12
  • The dockerrun file specifies where the file is, but ASAIK, it does not make EB setup permissions to access that file. You have to do that from the Role/Policy/Permission. So, your dockerrun is likely ok – dkarchmer Feb 28 '16 at 20:18
  • did my recommendation work? or was that not the right answer? – dkarchmer Feb 29 '16 at 23:14
  • Thanks for the follow up; I'm trying this out tonight and will post back. – Brian FitzGerald Mar 01 '16 at 00:05
  • 1
    Updating the roles did the job. Now the Beanstalk Application says it can't find the docker image in the private repo (even though it's there), so that's my next hurdle... Ever seen that? – Brian FitzGerald Mar 01 '16 at 14:43
  • I haven't, but make sure the file is correct. I believe is a json format, so make sure it is all there. – dkarchmer Mar 01 '16 at 15:48
0

Just add Amazons3FullAccess Policy name to aws-elasticbeanstalk-ec2-role Role in IAM

Fractal Mind
  • 405
  • 4
  • 10