- Newest
- Most votes
- Most comments
Based on the errors you're encountering, it appears that there are issues with the IAM role permissions for your Elastic Beanstalk environment. Using the same role (rootEC2) for both EC2 instances and the Elastic Beanstalk service is not the recommended approach. It's best to create separate roles for EC2 instances and the Elastic Beanstalk service to ensure proper functionality and adhere to the principle of least privilege.
For Elastic Beanstalk environments, you typically need two distinct roles:
- A service role for Elastic Beanstalk
- An instance profile for EC2 instances
For the Elastic Beanstalk service role, you should create a new IAM role and attach the following managed policy:
- AWSElasticBeanstalkService
This policy provides the necessary permissions for Elastic Beanstalk to manage resources on your behalf, including checking for managed updates and monitoring environment health.
For the EC2 instance profile, create another IAM role and attach these managed policies:
- AWSElasticBeanstalkWebTier (for web server environments)
- AWSElasticBeanstalkWorkerTier (for worker environments)
- AWSElasticBeanstalkMulticontainerDocker (if using multi-container Docker)
These policies grant the EC2 instances the required permissions to interact with other AWS services that Elastic Beanstalk environments typically use.
After creating these roles, update your Elastic Beanstalk environment configuration:
- Set the service role to the newly created Elastic Beanstalk service role.
- Set the instance profile to the newly created EC2 instance profile.
Keep in mind that permission changes can take up to two hours to propagate fully. After making these changes, wait for a while and then try to redeploy your application.
Additionally, ensure that the trust relationships for these roles are properly configured. The Elastic Beanstalk service role should trust the elasticbeanstalk.amazonaws.com service, while the EC2 instance profile should trust the ec2.amazonaws.com service.
By separating the roles and ensuring they have the correct permissions, you should be able to resolve the suspended status and deployment issues in your Elastic Beanstalk environment.
Sources
Managing Elastic Beanstalk instance profiles - AWS Elastic Beanstalk
Elastic Beanstalk Service roles, instance profiles, and user policies - AWS Elastic Beanstalk
Your AWS Elastic Beanstalk environment security - AWS Elastic Beanstalk
Using service-linked roles for Elastic Beanstalk - AWS Elastic Beanstalk
Relevant content
- asked a year ago
- asked a year ago
- asked 10 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 20 days ago
- AWS OFFICIALUpdated 4 months ago