AWS InsufficientPrivilegesException for UpdateEnvironment but I have setup relevant permissions

Question

I want to setup a CI/CD using GitHub Actions that creates a new application version in AWS Elastic Beanstalk whenever new code is committed and pushed. Here's the workflow .yml:

name: Build Frontend and Deploy

on:
  push:
    branches: [ master ]

jobs:
  deploy:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v1
        with:
          node-version: '12'
      
      - name: Install app dependencies
        run: npm install

      - name: Build sapper app
        run: npm run build

      - name: Create ZIP deployment package
        run: zip -r deploy_frontend.zip ./

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: "us-east-1"

      - name: Upload package to S3 bucket
        run: aws s3 cp deploy_frontend.zip s3://***-deploy-dev/

      - name: Create new ElasticBeanstalk application version
        run: |
          aws elasticbeanstalk create-application-version \
          --application-name *** \
          --source-bundle S3Bucket="***",S3Key="deploy_frontend.zip" \
          --version-label "ver-${{ github.sha }}" \
          --description "commit-sha-${{ github.sha }}"
      - name: Deploy new ElasticBeanstalk application version
        run: |
          aws elasticbeanstalk update-environment \
          --environment-name *** \
          --version-label "ver-${{ github.sha }}"

Note: I use *** to hide the app and environment name

The build errored in the Deploy new ElasticBeanstalk application version stage. The full error is

Run aws elasticbeanstalk update-environment \
  aws elasticbeanstalk update-environment \
  --environment-name *** \
  --version-label "ver-44d23ff7b95541c3527b0a7f156c1377d3fdc217"
  shell: /bin/bash -e {0}
  env:
    AWS_DEFAULT_REGION: us-east-1
    AWS_REGION: us-east-1
    AWS_ACCESS_KEY_ID: ***
    AWS_SECRET_ACCESS_KEY: ***

An error occurred (InsufficientPrivilegesException) when calling the UpdateEnvironment operation: Access Denied
Error: Process completed with exit code 255.

However, I think I have setup the relevant permissions in AWS policies. Here's the policy for the github actions user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "elasticbeanstalk:UpdateEnvironment",
            "Resource": "arn:aws:elasticbeanstalk:us-east-1:917801217495:environment/appname/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:ListPlatformBranches",
                "elasticbeanstalk:DescribeAccountAttributes",
                "elasticbeanstalk:CreateStorageLocation",
                "elasticbeanstalk:CheckDNSAvailability"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "elasticbeanstalk:*",
            "Resource": [
                "arn:aws:elasticbeanstalk:*:917801217495:applicationversion/*/*",
                "arn:aws:elasticbeanstalk:us-east-1:917801217495:environment/appname/*",
                "arn:aws:elasticbeanstalk:us-east-1:917801217495:application/appname"
            ]
        }
    ]
}

Again, I replaced my application name with appname.

I even tried it in the policy simulator and the policy is working as expected. What could be the problem here?

Answer 1

I followed the guide from https://documentation.codeship.com/basic/continuous-deployment/deployment-to-elastic-beanstalk/#iam-policies and it is working. Basically, you need to also setup permissions in all elastic beanstalk's related services, not just elastic beanstalk.