Geek Answers Handbook

Access Denied to object S3 in configuring elastic bean stitch

I am trying to configure the "source" parameter in an application configuration file with an elastic beanstalk. The appropriate source is the bz2 file, which I uploaded to the new S3 bucket. As an example, the name of the bucket created is "abc" and the file name is "mysource.tar.bz2". The corresponding line in the configuration file is as follows:

source: /usr/bin/mysource: https://s3-us-west-2.amazonaws.com/abc/mysource.tar.bz2

When I try to deploy the code, an error appears and when checking the log it shows "AccessDenied" for this file.

I created an instance profile (role) in the trust-based AWS IAM console for Amazon EC2 and set up access to the required bucket.

The permission in the role is as follows:

 { "Statement": [ { "Sid": "Stmt13674962346", "Action": [ "s3:*" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::abc/*" ] } ] }

Even tried to set the resource to *:

 "Resource": "*"

But still get an AccessDenied error.

If I change the resolution for the s3 file "mysource.tar.bz2" to make it public, it works.

So, is there a way to make this work without having to publish the S3 file? Are my settings for resolving a role incorrect? Or is there some other way to achieve this?

+4
source share
2 answers

It is not possible to access AWS protected assets using the elastic beanstitch using the files or source keys. These commands are processed in a basic way and are not read from the instance metadata, so they cannot extract your AWS credentials (as far as I know).

My solution to this problem was to create an IAM role with the appropriate permissions, install the latest AWS tools, and use the commands key to download and extract the file. The key is AWS command-line tools that automatically extract AWS credentials from an instance.

 commands: 01-install-awscli: command: easy_install awscli 02-download-s3-asset: command: aws s3 cp --region us-east-1 s3://abc/mysource.tar.bz2 . 03-extract-file: command: tar xvjf mysource.tar.bz2 destination/

Commands are run in the source directory of your project, so if necessary, change the paths or use the cwd parameter to change where the commands run.

+4
source

I came across a very similar situation and found a way to solve it. See My answer here. Permission denied while elastic bean core retrieves S3 file for more details.

The solution I found involves adding a Resources section with authentication information to your configuration file. My latest .ebextensions configuration file looks like this:

 files: "/target/file/path" : source: https://s3-us-west-1.amazonaws.com/_MyBucket_/_MyFolder_/_MyFile.txt Resources: AWSEBAutoScalingGroup: Metadata: AWS::CloudFormation::Authentication: S3Access: type: S3 roleName: aws-elasticbeanstalk-ec2-role buckets: _MyBucket
+1
source

More articles:


All Articles