Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Immutable Deployment AccessDenied DescribeStackResource

0

Hi,

Occasionally when deploying applications to our elastic beanstalk environments we would receive the following error code:

AccessDenied: Instance .... is not allowed to call DescribeStackResource for arn:aws:cloudformation:us-east-1:...:stack/awseb-e-...-stack/....

Typically if we simply retried the deployment once or perhaps twice more the application would successfully deploy. However I'm in the process of changing our default instance type from t3.small to t2.small, and on our test environment I receive the above error every single time I try to deploy (even when using the AWS console to upload and deploy the application bundle). I've attempted explicitly providing permission to the instances' IAM role for "CloudFormation:DescribeStackResource" with resource "arn:aws:cloudformation:us-east-1:....:stack//" but that results in the same error message.

When deploying I am using the immutable deployment strategy. Please let me know what other information I can provide to help. Thank you.

(Please note I replaced account specific information with "..." throughout this post)

Topics
Compute
Tags
AWS Elastic Beanstalk
Language
English
asked 4 years ago1.3K views
1 Answer
0

For anyone who runs into this problem in the future, I've found the solution. We have had our environments codified with terraform since around the beginning of 2020. AWS changed the permissions needed for enhanced health reporting in elastic beanstalk around November 2020; but the old permissions still mostly worked. A recent change made the success rate fall dramatically. So for us we just needed to change our service role policies AND instance role policies to include AWSElasticBeanstalkEnhancedHealth and AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy. Note if you do not include these in your instance profile, you'll get the referenced error when attempting to deploy new application bundles using a immutable deployment.

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content