I have a simple file in my .ebextensions
folder:
00-myconfig.config
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Access:
type: S3
roleName: aws-elasticbeanstalk-ec2-role
buckets: my-bucket
files:
"/tmp/ca-bundle.zip":
mode: "000755"
owner: root
group: root
source: https://s3-ap-southeast-2.amazonaws.com/my-bucket/ca/ca-bundle.zip
authentication: S3Access
Which according to multiple answers is the way to grant S3 bucket access to the aws-elasticbeanstalk-ec2-role
role.
But I continue to get the 403 error in /var/log/eb-activity.log
[2015-08-26T01:27:03.544Z] INFO [22320] - [Application update/AppDeployStage0/EbExtensionPreBuild/Infra-EmbeddedPreBuild] : Activity execution failed, because: Failed to retrieve https://s3-ap-southeast-2.amazonaws.com/my-bucket/ca/ca-bundle.zip: HTTP Error 403 : <?xml version="1.0" encoding="UTF-8"?> (ElasticBeanstalk::ExternalInvocationError)
If I manually add an S3 access policy to the aws-elasticbeanstalk-ec2-role
role everything works, so I know I don't have misspellings in URLS or anything else, the EC2 instance is definitely in the correct role.
What is wrong?
PS. I tried the files
section with or without the 'authentication' setting.
Best Answer
I've figured it out and I feel a little bit silly for not picking this up sooner.
So for anyone that uses
AWS::CloudFormation::Authentication
path, the solution of course is:Make sure your BUCKET policy allows your aws-elasticbeanstalk-ec2-role. DOH!!
It should look something like this:
You can grab the ARN from IAM console.
The instructions in your .ebextensions config files only tell the EB deploy tools what to use to authenticate, but your source bucket (if private obviously) needs to allow that principal access!!!