Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Elastic Beanstalk Managed Platform Updates Suddenly No Longer Working

0

Since last week, all our systems on Elastic Beanstalk suddenly failed to install the latest platform update, 4.2.7 to 4.3.0, as part of a weekly managed update process. This came as an unwelcome surprise, as platform updates have been working without any issues for at least the last 36 months.

The reason for the failure is that the ec2:CreateTags permission is not available for arn/**/elastic-ip/ in the AwsElasticBeanstalkManagedUpdatesCustomerRolePolicy, which is attached to the aws-elasticbeanstalk-service-role.

Adding this permission to the role resolves the issue. However, we have the following two questions:

  1. Why does the AwsElasticBeanstalkManagedUpdatesCustomerRolePolicy not contain this permission in the first place, if it is required for the platform update?
  2. Why is this permission suddenly required when it has not been required for at least the last 36 months? Have we missed an important update? Is AwsElasticBeanstalkManagedUpdatesCustomerRolePolicy no longer the correct policy for managed updates?
Topics
Management & GovernanceComputeSecurity, Identity, & Compliance
Tags
Service Control PolicyIAM PoliciesAWS Elastic Beanstalk
Language
English
asked 2 years ago396 views
2 Answers
0

The AwsElasticBeanstalkManagedUpdatesCustomerRolePolicy is the managed policy that Elastic Beanstalk uses to grant the necessary permissions to the managed-updates service role. This role is used by Elastic Beanstalk to perform managed platform updates on your behalf.

The reason the ec2:CreateTags permission for arn::elastic-ip/ was not initially included in this policy is likely due to the fact that this permission was not required for the managed platform updates in the past. However, it seems that this permission has become necessary for the latest platform update from 4.2.7 to 4.3.0.

The sudden requirement for this permission could be due to changes in the underlying platform update process or dependencies. It's possible that a new component or functionality was introduced in the 4.3.0 platform update that requires the ability to create tags on Elastic IP addresses.

The AwsElasticBeanstalkManagedUpdatesCustomerRolePolicy is still the correct policy for managed updates, but it may need to be updated over time to include additional permissions as the platform update process evolves.

For the most up-to-date information on Elastic Beanstalk service limits, quotas, and other details, I recommend referring to the official AWS Documentation.

AWS
EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
  • Ch Ryder
    2 years ago

    I appreciate your answer, and I am aware of the problem and also the solution. The issue is that AwsElasticBeanstalkManagedUpdatesCustomerRolePolicy is an AWS managed policy. Should AWS not have added the missing permission to the policy? The latest version of the policy is a year old. Can we expect AWS engineers to update the policy, given that the new platform update cannot be installed with the old policy?

0

=>The issue you're experiencing with Elastic Beanstalk managed updates is due to the missing ec2:CreateTags permission for Elastic IP resources in the AwsElasticBeanstalkManagedUpdatesCustomerRolePolicy. Here's a brief solution and explanation:

=>Solution: To resolve the issue, manually add the ec2:CreateTags permission for the arn/**/elastic-ip/ resource to the aws-elasticbeanstalk-service-role:

{
  "Effect": "Allow",
  "Action": "ec2:CreateTags",
  "Resource": "arn:aws:ec2:*:*:elastic-ip/*"
}

=>Why the Permission is Missing: AWS likely introduced a recent change that now requires this permission for platform updates, though it was not necessary in the past 36 months. This could be part of an update to AWS Elastic Beanstalk or EC2 to improve tagging and resource management.

=>Next Steps: Check AWS release notes or Elastic Beanstalk update documentation for recent policy changes. Moving forward, it's recommended to regularly review permissions for any role changes introduced by AWS services.

EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
  • Ch Ryder
    2 years ago

    I appreciate your answer, and I am aware of the problem and also the solution. The issue is that AwsElasticBeanstalkManagedUpdatesCustomerRolePolicy is an AWS managed policy. Should AWS not have added the missing permission to the policy? The latest version of the policy is a year old. Can we expect AWS engineers to update the policy, given that the new platform update cannot be installed with the old policy?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content