Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS Elastic Beanstalk Cannot Access AWS-Managed S3 Bucket - Service Bug Blocking Deployments

0

I'm experiencing what appears to be an AWS service bug with Elastic Beanstalk that's blocking my deployments through AWS CodePipeline.

Issue Summary: My AWS CodePipeline deployment to Elastic Beanstalk is failing with an S3 access denied error to AWS's own managed patching bucket.

Error Details:

  • Service: AWS Elastic Beanstalk (deployed via AWS CodePipeline)
  • Region: us-east-2
  • Error: Access denied to S3 bucket elasticbeanstalk-env-resources-us-east-2
  • This bucket is AWS-managed infrastructure for Elastic Beanstalk patching

My Configuration:

  • Using AWS CodePipeline for deployment to Elastic Beanstalk
  • EC2 instance role has AWSElasticBeanstalkWebTier policy attached
  • This is the AWS-recommended managed policy for Elastic Beanstalk web tier instances
  • All standard AWS-managed service permissions are properly configured

Why This Appears to be an AWS Bug:

  1. elasticbeanstalk-env-resources-us-east-2 is AWS's own managed bucket, not customer-created
  2. I'm using AWS's own managed services (CodePipeline → Elastic Beanstalk)
  3. I'm using AWS's own managed policy (AWSElasticBeanstalkWebTier) as recommended
  4. This is AWS-to-AWS service communication that should work automatically
  5. Elastic Beanstalk service should automatically have access to AWS's internal resources
  6. Customers cannot and should not configure permissions for AWS's infrastructure buckets
  7. This is a failure in AWS's managed platform update system, not customer configuration

Impact:

  • Cannot deploy applications through AWS CodePipeline to Elastic Beanstalk
  • Production CI/CD pipeline is broken
  • This affects AWS's core managed service integration

What I've Tried:

  • Verified my IAM permissions are correct for Elastic Beanstalk (using AWS managed policy)
  • Confirmed this is not a customer-configurable bucket
  • Researched AWS documentation - no customer action should be required
  • Using AWS's own recommended IAM policies and service integrations

Request: This appears to be an AWS service infrastructure issue that requires AWS engineering team investigation. Can the AWS Elastic Beanstalk service team please investigate why their managed service cannot access their own S3 resources, even when deployed through AWS's own CodePipeline using AWS's own recommended IAM policies?

Additional Context:

  • I have Basic Support so cannot file a technical support case
  • This is clearly an AWS infrastructure bug, not a customer configuration issue
  • Using AWS-managed services: CodePipeline → Elastic Beanstalk
  • Using AWS-managed IAM policy AWSElasticBeanstalkWebTier as recommended
  • Other customers using AWS CI/CD may be experiencing the same problem

Has anyone else encountered this issue with AWS CodePipeline deployments to Elastic Beanstalk? AWS team - can you please investigate?

** Additional info added based on questions from answers/commenters **

  1. The error message I received on the Deploy stop of the Pipeline is as follows: Deployment completed, but with errors: Failed to deploy application. Service:Amazon S3, Message:Access Denied: S3Bucket=elasticbeanstalk-env-resources-us-east-2, S3Key=eb_patching_resources/instance_patch_extension.linux
  2. My account: New AWS account Free tier us-east-2 region CodePipeline deployment Deploy Action provider: AWS Elastic Beanstalk
Topics
ComputeSecurity, Identity, & ComplianceDeveloper ToolsStorage
Tags
AWS CodeDeployIAM PoliciesAmazon S3 Access GrantsAWS CodePipelineAWS Elastic Beanstalk
Language
English
asked 2 months ago94 views
2 Answers
0

The issue you're experiencing with Elastic Beanstalk not being able to access the AWS-managed S3 bucket is likely related to IAM permissions rather than an AWS service bug. Here are some troubleshooting steps to resolve this:

  1. Check IAM Role Permissions: While you mentioned that you're using the AWSElasticBeanstalkWebTier policy, this might not be sufficient. Elastic Beanstalk environments typically need two roles:
  • An instance profile role for the EC2 instances
  • A service role for Elastic Beanstalk itself
  1. Verify S3 Permissions: The service role needs specific S3 permissions to access the elasticbeanstalk-env-resources bucket. Ensure your service role has at minimum:
  • s3:GetObject
  • s3:GetObjectVersion
  • s3:ListBucket
  • s3:ListBucketVersions

  1. Check for S3 Bucket Policy Conflicts: If there are any custom bucket policies in your account, they might be conflicting with the permissions Elastic Beanstalk needs.

  2. Review Account-level S3 Settings: Check your account's S3 Block Public Access settings, as overly restrictive settings might interfere with Elastic Beanstalk's ability to configure the S3 bucket properly.

  3. Examine VPC Configuration: If you're using a custom VPC, ensure it's properly configured with the necessary components like internet gateway, security groups, and subnets to allow traffic between Elastic Beanstalk and S3.

  4. Check CloudTrail Logs: Review AWS CloudTrail logs to identify specific denied actions related to S3 access, which can provide more details about the permission issues.

For CodePipeline specifically, you may need to ensure that the CodePipeline service role has the necessary permissions to interact with both Elastic Beanstalk and S3. Consider adding a custom policy to your service role that explicitly grants access to the required S3 buckets.

This is most likely a configuration issue rather than a bug in AWS services. By properly configuring the IAM roles and permissions, you should be able to resolve the access denied errors.
Sources
When creating an elastic beanstalk environment it gets terminated throwing a S3_MALFORMED_POLICY error | AWS re:Post
Setup Elastic Beanstalk with S3 | AWS re:Post
Troubleshoot issues with Amazon ECS connection to Amazon S3 | AWS re:Post
Resolve Access Denied errors in CodePipeline | AWS re:Post

answered 2 months ago
  • SY
    2 months ago

    I have tried adding AWSElasticBeanstalkWebTier to both instance role and service role but ended up still getting the same error. The S3 bucket itself is managed by AWS so I am not allowed to verify or change its permissions. I do not see the bucket under my S3.

0

Hello.

Can you share the error message?
You need to determine whether the problem is with the ElasticBeanstalk IAM role or with the IAM role or other settings configured for CodePipeline.
It is also possible that the IAM role used by CodePipeline, CodeBuild, etc. does not have the permissions to access "elasticbeanstalk-env-resources-us-east-2", causing the error.
https://docs.aws.amazon.com/codepipeline/latest/userguide/how-to-custom-role.html

EXPERT
answered 2 months ago
  • SY
    2 months ago

    Hello,
    The error message I received on the Deploy stop of the Pipeline is as follows:

    Deployment completed, but with errors: Failed to deploy application. Service:Amazon S3, Message:Access Denied: S3Bucket=elasticbeanstalk-env-resources-us-east-2, S3Key=eb_patching_resources/instance_patch_extension.linux

    Based on my understanding the IAM role that needs the permission to access "sticbeanstalk-env-resources-us-east-2" is the eb instance profile role which for me is: aws-elasticbeanstalk-ec2-role which I do have the AWSElasticBeanstalkWebTier policy attached.

    Does the IAM role used by CodePipeline need additional S3 permissions for the "sticbeanstalk-env-resources-*" bucket? My understanding is that the IAM role used by the CodePipeline is for the pipeline's artifact bucket rather than what is needed for operations within the Beanstalk environment.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content