Hello team, I have been trying to set up an ssl cerificate, storing its private key and crt in an s3 bucket. The files are currently in the default s3 bucket for elastic beanstalk in the region. The ebs app has an instance role different from the default instance role. I have tried modifying the default value to the instance profile name also tried using the instance role while adding an s3full access permission to it and finally reverting to using the default aws-elasticbeanstalk-ec2-role but all failed with the error - Error occurred during build: Failed to retrieve https://elasticbeanstalk-us-east-2-accountid.s3.us-east-2.amazonaws.com/server.crt. s3 bucket has polict to allow "Action": "s3:PutObject",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:GetObjectVersion"
from both the default beanstalk role and the role I created for the app. Please is there any reason this is failing?
note the accountid used in code is a placeholder
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Auth:
type: "s3"
buckets: ["elasticbeanstalk-us-east-2-accountid"]
roleName:
"Fn::GetOptionSetting":
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: "IamInstanceProfile"
DefaultValue: "aws-elasticbeanstalk-ec2-role"
files:
# Private key
"/etc/pki/tls/certs/server.key":
mode: "000400"
owner: root
group: root
authentication: "S3Auth"
source: https://elasticbeanstalk-us-east-2-accountid.s3.us-east-2.amazonaws.com/server.key
files:
# crt
"/etc/pki/tls/certs/server.crt":
mode: "000400"
owner: root
group: root
authentication: "S3Auth"
source: https://elasticbeanstalk-us-east-2-accountid.s3.us-east-2.amazonaws.com/server.crt
Thanks for spotting this, it works now.