By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

elasticbeanstalk:CreateApplicationVersion permission error @ pipeline deploy stage

0

I am getting this error every time I deploy an app in the pipeline: The provided role does not have the elasticbeanstalk:CreateApplicationVersion permission I tried to add a new policy with just one line: elasticbeanstalk:CreateApplicationVersion I tried following the solution here: https://repost.aws/questions/QUKihls54VSUWdUdnYlfRzFg/getting-role-error-in-elastic-beanstalk I added a the 3 beanstalk policies after recreating the role and environment: AWSElasticBeanstalkMulticontainerDocker AWSElasticBeanstalkWebTier AWSElasticBeanstalkWorkerTier

I am still getting the error. What is the solution for this issue? Can you provide steps outside of an article? I really want to fix this issue. Thanks!

Topics
Developer ToolsComputeDevOpsSecurity, Identity, & Compliance
Tags
AWS CodePipelineAWS CodeDeployAWS Elastic BeanstalkDevOpsIAM Policies
Language
English
cb2-dev
asked a month ago441 views
1 Answer
1

To resolve the "elasticbeanstalk:CreateApplicationVersion permission error" in your pipeline deploy stage, you need to ensure that the IAM role associated with your CodePipeline has the necessary permissions. Here are the steps to fix this issue:

  1. Open the AWS Management Console and navigate to the IAM service.

  2. Locate the service role used by your CodePipeline. This is typically named something like "CodePipelineServiceRole".

  3. Select the role and go to the "Permissions" tab.

  4. Click on "Add permissions" and then "Create inline policy".

  5. In the policy editor, add the following JSON:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "elasticbeanstalk:CreateApplicationVersion", "Resource": "*" } ] }

  6. Name the policy (e.g., "ElasticBeanstalkCreateAppVersion") and save it.

  7. Additionally, ensure that your role has the necessary permissions for other Elastic Beanstalk operations. You can add the following managed policies if they're not already attached:

    • AWSElasticBeanstalkFullAccess
    • AWSCodePipelineFullAccess

  8. If you're still encountering issues, you may need to update the service role for CodePipeline. The service role might have been created before August 6, 2015, when AWS updated the required permissions. To do this:

    a. In the IAM console, find your CodePipeline service role. b. Edit the role's policy statement to include the following permissions:

    { "Effect": "Allow", "Action": [ "elasticbeanstalk:", "ec2:", "elasticloadbalancing:", "autoscaling:", "cloudwatch:", "s3:", "sns:", "cloudformation:", "rds:", "sqs:", "ecs:" ], "Resource": "" }

  9. After making these changes, save the updated policy.

  10. Return to your CodePipeline and manually rerun the pipeline to see if the error is resolved.

Remember to follow the principle of least privilege and adjust the permissions as necessary for your specific use case. If you're still experiencing issues after these steps, you may need to review your pipeline configuration or consult AWS support for further assistance.
Sources
Troubleshooting CodePipeline - AWS CodePipeline
How do I troubleshoot when User: arn is no authorized to perform Create * or Delete * or Update * on resource(s) because no identity- policy allows the actions | AWS re:Post

profile picture
re:Post Agent
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content