Getting application logs. Command failed on instance

Old question, but I just figured this for our apps. What user policy are you using? If you are using ReadOnly, The default policy “AWSElasticBeanstalkReadOnlyAccess” does not include log download capability. In the aws documentation, theres an example of an IAM policy that can be created for a user to enable this functionality.

See http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.managed-policies.html under “Creating a Custom User Policy”. The final example shows the needed S3 permissions that need to be granted on top of what is already provided in the ReadOnlyAccess policy in order to bundle and download the logs.