I'm testing out AWS and Elastic Beanstalk and have Beanstalk running a version that was manually uploaded.
When I try to update the version via the command line, the command line returns ok but Beanstalk shows an error event.
[ec2-user@ip-172-31-35-38 ~]$ /usr/bin/aws elasticbeanstalk update-environment --environment-name play-app-test --version-label play-app-1051 --region us-east-1
True play-app play-app-test.elasticbeanstalk.com 2015-09-27T04:05:25.486Z 2015-09-27T06:07:28.031Z .....us-east-1.elb.amazonaws.com e-jk8fyjd3dt play-app-test Grey 64bit Amazon Linux 2015.03 v2.play-app-1051Node.js
TIER WebServer Standard
[ec2-user@ip-172-31-35-38 ~]$
Service:Amazon S3, Message:You do not have permission to perform the 's3:ListBucket' action. Verify that your S3 policies and your ACLs allow you to perform these actions.
Who exactly is it that does not have permission?
My Beanstalk environment's health permissions role is aws-elasticbeanstalk-service-role to which I've attached a policy granting access to S3 (I use the same policy for the user that uploaded the build to S3 and it worked there).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::play-app-builds"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::play-app-builds/*"
}
]
}
The Beanstalk environment server's instance profile role is aws-elasticbeanstalk-ec2-role which also has the above policy attached.
I turned on CloudTrail. It shows the UpdateEnvironment call but doesn't show any S3 calls after that. I'm not sure if CloudTrail shows failed calls or not.
Within S3 I turned logging on for the builds bucket but nothing has been logged.
What am I missing?
You are whoever
aws iam get-user(with no user name) says you are.