Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

Elastic Beanstalk, Unable to assume role "arn:aws:iam::********:role/aws-elasticbeanstalk-service-role". Verify that the role exists and is configured correctly.

0

One of My Beanstalk environment started to be in sever/degraded status and showing me the error

Unable to assume role "arn:aws:iam::******:role/aws-elasticbeanstalk-service-role". Verify that the role exists and is configured correctly.

Upon checking, there is nothing changed in this service role, and all my other EB enviornment using this service role works fine. The service role has two managed policis (AWSElasticBeanstalkEnhancedHealth & AWSElasticBeanstalkService) attached with proper trust relashionship setup as below. I also confirmed my USER IAM policy is Admin, which give access to do anything (including assume/pass roles). What else can be causing this error? How do I fix it

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "elasticbeanstalk.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "elasticbeanstalk" } } } ] }

Tópicos
Segurança, identidade e conformidadeComputação
Tags
AWS Identity and Access ManagementAWS Elastic Beanstalk
Idioma
English
AWS-User-3610377
feita há 2 anos5534 visualizações
3 Respostas
1

I have had the same issue as yours and I was able to fix when I chose to create new role as defined by Elastic Beanstalk. My first attempt was to add the "AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy" policy in the role for my website but it didn't fix the issue though I restart the environment. After many troubleshooting workarounds done to no avail, I resorted to create a new environment and I chose "Create and use new service role" in the Service Role. I just let "aws-elasticbeanstalk-service-role" to autofill "Existing service roles" and just follow the prompts thereafter.

profile picture
Vin
respondido há 9 meses
  • Jimmy
    há 8 meses

    Really appreciate for your genius solution. I tried several times to conque this issue. I trust this is AWS issue.... but not able to reported a case with technical issue.

0

Hi,

From the case notes I understand that you are getting the error Unable to assume role "arn:aws:iam::xxxxxx:role/aws-elasticbeanstalk-service-role", in your elastic beanstalk environment.

Per the Elastic Beanstalk documentation the trust policy that you have for your service role is correct. I am attaching the following documentation for that here (1). After testing I was not able to replicate this issue in my account as Elastic Beanstalk was successfully able to assume the service role with this trust policy. Based off of this I would recommend opening a case with AWS support in order to allow a support engineer to better troubleshoot the issue.

I hope you have a great rest of your day!

References

(1) https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/iam-servicerole.html#iam-servicerole-console

AWS
ENGENHEIRO DE SUPORTE
Patrick_V
respondido há 2 anos
  • Vin
    há 9 meses

    Same problem with my Elastic Beanstalk

0

I had this same problem, to fix it I just created a new role, instead of using the default role option.

template.yml:

AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation template to create a service-linked role for Elastic Beanstalk

Resources:

  ElasticBeanstalkServiceRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: 'cicd-role'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: 'Allow'
            Action: 'sts:AssumeRole'
            Principal:
              Service: 'elasticbeanstalk.amazonaws.com'
      Description: 'Allows Elastic Beanstalk to create and manage AWS resources on your behalf.'
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk
        - arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth
        - arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService

Outputs:
  RoleArn:
    Description: 'ARN of the Elastic Beanstalk service role'
    Value: !GetAtt [ElasticBeanstalkServiceRole, Arn]

Or in the aws Management Console:

  • Roles > Create
  • Trusted entity type > AWS service
  • Use case > Elastic Beanstalk
  • (Everything else as default)
  • Create
rePost-User-6554494
respondido há 6 meses

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante