I am trying to configure the 'source' parameter in an elastic beanstalk application config file. The relevant source is a bz2 file which i have uploaded in a new S3 bucket. As an example, the name of the bucket created is 'abc' and the file name is 'mysource.tar.bz2'. The relevant line in the config file looks like this:
source:
/usr/bin/mysource: https://s3-us-west-2.amazonaws.com/abc/mysource.tar.bz2
When trying to deploy the code, there is an error and on checking the log, it shows 'AccessDenied' for this file.
I have created an Instance Profile (Role) in the AWS IAM console with Trust relationship for Amazon EC2 and have set the access to the required bucket.
The permission in the role looks like this:
{
"Statement": [
{
"Sid": "Stmt13674962346",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::abc/*"
]
}
]
}
Have even tried setting the Resource to *:
"Resource": "*"
But still get the AccessDenied error.
If i change the permission for the s3 file 'mysource.tar.bz2' by making it public, it works.
So, is there a way to get this working without having to make the S3 file public? Are my settings for the role permission incorrect? Or is there some other way to achieve this?
It's not possible to access protected AWS assets from Elastic Beanstalk using the files or source keys. These commands are processed in a basic way and do not read from the instance metadata, thus they cannot extract your AWS credentials (as far as I know).
My solution to this problem was to create an IAM role with appropriate permissions, install the most recent AWS tools, and use the commands key to download and extract file. The key is the AWS command-line tools that automatically extract AWS credentials from the instance.
commands:
01-install-awscli:
command: easy_install awscli
02-download-s3-asset:
command: aws s3 cp --region us-east-1 s3://abc/mysource.tar.bz2 .
03-extract-file:
command: tar xvjf mysource.tar.bz2 destination/
Commands are executed in the source directory of your project, so change paths as necessary or use the cwd option to change where the commands are run from.
I am trying to configure the 'source' parameter in an elastic beanstalk application config file. The relevant source is a bz2 file which i have uploaded in a new S3 bucket. As an example, the name of the bucket created is 'abc' and the file name is 'mysource.tar.bz2'. The relevant line in the config file looks like this:
source:
/usr/bin/mysource: https://s3-us-west-2.amazonaws.com/abc/mysource.tar.bz2
When trying to deploy the code, there is an error and on checking the log, it shows 'AccessDenied' for this file.
I have created an Instance Profile (Role) in the AWS IAM console with Trust relationship for Amazon EC2 and have set the access to the required bucket.
The permission in the role looks like this:
{
"Statement": [
{
"Sid": "Stmt13674962346",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::abc/*"
]
}
]
}
Have even tried setting the Resource to *:
"Resource": "*"
But still get the AccessDenied error.
If i change the permission for the s3 file 'mysource.tar.bz2' by making it public, it works.
So, is there a way to get this working without having to make the S3 file public? Are my settings for the role permission incorrect? Or is there some other way to achieve this?
It's not possible to access protected AWS assets from Elastic Beanstalk using the files or source keys. These commands are processed in a basic way and do not read from the instance metadata, thus they cannot extract your AWS credentials (as far as I know).
My solution to this problem was to create an IAM role with appropriate permissions, install the most recent AWS tools, and use the commands key to download and extract file. The key is the AWS command-line tools that automatically extract AWS credentials from the instance.
commands:
01-install-awscli:
command: easy_install awscli
02-download-s3-asset:
command: aws s3 cp --region us-east-1 s3://abc/mysource.tar.bz2 .
03-extract-file:
command: tar xvjf mysource.tar.bz2 destination/
Commands are executed in the source directory of your project, so change paths as necessary or use the cwd option to change where the commands are run from.
0 commentaires:
Enregistrer un commentaire