0

I am trying to setup an ec2 instance (A role is associate with this instance). This instance is responsible to

  1. Create build, and upload to s3 bucket
  2. Create a new application version from this build for elasticbeanstalk
  3. Deploy newly created version on beanstalk

I am running following 3 commands. first 2 are executed successfully.

aws s3 cp api-service-build.zip s3://build-bucket/api-service/2022-11-2022.zip

aws elasticbeanstalk create-application-version 
    --application-name api-service-stage 
    --version-label v5 
    --description "Version 5" 
    --source-bundle S3Bucket="build-bucket",S3Key="api-service/2022-11-2022.zip"

but when I try to run third command its unable to deploy (please note on CLI its not failing)

aws elasticbeanstalk update-environment 
    --environment-name api-service-stage-env 
    --version-label v5

On beanstalk web console I can see following error

User: arn:aws:sts::xxxxxxxxx:assumed-role/MyAssumedRole/i-xxxxxx is not authorized to perform: autoscaling:DescribeAutoScalingGroups because no identity-based policy allows the autoscaling:DescribeAutoScalingGroups action (Service: AmazonAutoScaling; Status Code: 403; Error Code: AccessDenied;

I have updated my policy more than 30 times, to reach to above point, and yet another permission error.

Is there a way or a tool, where I paste my command and it tells me what permissions are required to run this command

  • aws s3 cp
  • aws elasticbeanstalk create-application-version
  • aws elasticbeanstalk update-environment

Permission I have added so far in MyAssumedRoles are as follows, I have added these with lots of hit and tries and yet its asking about another one autoscaling.

  1. S3 Full access
  2. Elastic Beanstalk full access
  3. CloudFormation full access
PHP Avenger
  • 1,744
  • 6
  • 37
  • 66
  • The issue you have here is that your Elastic Beanstalk app may optionally comprise many different AWS resources from different services (e.g. ELB, S3, DynamoDB, EC2, AutoScaling, RDS, SQS, logging etc.) There's no programmatic way that I know of to determine the minimal list of permissions/resources for a given EB application. That said, see if [Elastic Beanstalk IAM developer permissions](https://stackoverflow.com/questions/33038941/elastic-beanstalk-iam-developer-permissions) helps. – jarmod Nov 22 '22 at 15:03

1 Answers1

0

Based on the error you are missing the AutoScaling permissions. They are different from the ones that you have already added. The best way to test is to use the AWS Policy Simulator. Follow the steps below :

  1. Login to the AWS Console.
  2. Go to the following URL : https://policysim.aws.amazon.com
  3. Under User, Groups & Roles : Select Roles and then the role : MyAssumedRole
  4. You can test the access on the right by selecting the action e.g. under Policy Simulator, select Auto Scaling and then action - DescribeScalingPlans. Policy Simulator will give you the exact policy you need to add for your role.
yogiamit
  • 1