Elastic Beanstalk, Unable to assume role "arn:aws:iam::********:role/aws-elasticbeanstalk-service-role". Verify that the role exists and is configured correctly.

I have had the same issue as yours and I was able to fix when I chose to create new role as defined by Elastic Beanstalk. My first attempt was to add the "AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy" policy in the role for my website but it didn't fix the issue though I restart the environment. After many troubleshooting workarounds done to no avail, I resorted to create a new environment and I chose "Create and use new service role" in the Service Role. I just let "aws-elasticbeanstalk-service-role" to autofill "Existing service roles" and just follow the prompts thereafter.

Hi,

From the case notes I understand that you are getting the error Unable to assume role "arn:aws:iam::xxxxxx:role/aws-elasticbeanstalk-service-role", in your elastic beanstalk environment.

Per the Elastic Beanstalk documentation the trust policy that you have for your service role is correct. I am attaching the following documentation for that here (1). After testing I was not able to replicate this issue in my account as Elastic Beanstalk was successfully able to assume the service role with this trust policy. Based off of this I would recommend opening a case with AWS support in order to allow a support engineer to better troubleshoot the issue.

I hope you have a great rest of your day!

References

(1) https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/iam-servicerole.html#iam-servicerole-console

I had this same problem, to fix it I just created a new role, instead of using the default role option.

template.yml:

AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation template to create a service-linked role for Elastic Beanstalk

Resources:

  ElasticBeanstalkServiceRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: 'cicd-role'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: 'Allow'
            Action: 'sts:AssumeRole'
            Principal:
              Service: 'elasticbeanstalk.amazonaws.com'
      Description: 'Allows Elastic Beanstalk to create and manage AWS resources on your behalf.'
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk
        - arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth
        - arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService

Outputs:
  RoleArn:
    Description: 'ARN of the Elastic Beanstalk service role'
    Value: !GetAtt [ElasticBeanstalkServiceRole, Arn]

Or in the aws Management Console:

• Roles > Create
• Trusted entity type > AWS service
• Use case > Elastic Beanstalk
• (Everything else as default)
• Create