Elastic Beanstalk S3 access via .ebextensions

amazon-web-services amazon-s3 configuration amazon-ec2 elastic-beanstalk

Solution 1:

I've figured it out and I feel a little bit silly for not picking this up sooner.

So for anyone that uses AWS::CloudFormation::Authentication path, the solution of course is:

Make sure your BUCKET policy allows your aws-elasticbeanstalk-ec2-role. DOH!!

It should look something like this:

{
    "Id": "Policy1111Blah",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1440Blah",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::11111111111:role/aws-elasticbeanstalk-ec2-role"
                ]
            }
        }
    ]
}

You can grab the ARN from IAM console.

The instructions in your .ebextensions config files only tell the EB deploy tools what to use to authenticate, but your source bucket (if private obviously) needs to allow that principal access!!!

Related

openssl - What is the public key default MD
generating ssh keys with openssl or ssh-keygen
Is My Understanding of Windows Bare Metal System / Images Backups vs. File Backups Correct?
What ports should be mapped via NAT for Lync client?
foo.service holdoff time over, scheduling restart --> Where can I change the holdoff time [duplicate]
Update windows no internet connection
Deploying ssl Certificates per site on iis
Slave replication stops with Last_SQL_Errno: 1032
Nginx client cert verification: ssl_client_certificate vs ssl_trusted_certificate
Any drawbacks to AWS certificate manager wildcard certificates?
Search over different types of documents such as DjVU sometimes without OCR?
Is it possible to download a podcast directly to an iPod Touch without jailbreaking?