Elastic Beanstalk environment health Suspended(grey)

0

Enter image description here Enter image description here I created an environment in Elastic Beanstalk with one instance running. All resources, including autoscaling and EC2 health checks, appear to be operating normally. However, Elastic Beanstalk's logs show the following errors, and the environment health status is "suspended":

  1. "Service role arn:aws:iam::516129783581:role/rootEC2 is missing permissions required to check for managed updates. Verify the role's policies."
  2. "Failed to deploy application."
  3. "Failed to check health. Verify the permissions on the environment's service role and try again later. Permissions changes take up to two hours to propagate."

Currently, I'm using the same IAM role (rootEC2) for both EC2 and the Elastic Beanstalk environment. Should I create two separate roles one for EC2 and another for Elastic Beanstalk? If so, which policies should I attach to each role for proper functionality?

1 Answer
1

Based on the errors you're encountering, it appears that there are issues with the IAM role permissions for your Elastic Beanstalk environment. Using the same role (rootEC2) for both EC2 instances and the Elastic Beanstalk service is not the recommended approach. It's best to create separate roles for EC2 instances and the Elastic Beanstalk service to ensure proper functionality and adhere to the principle of least privilege.

For Elastic Beanstalk environments, you typically need two distinct roles:

  1. A service role for Elastic Beanstalk
  2. An instance profile for EC2 instances

For the Elastic Beanstalk service role, you should create a new IAM role and attach the following managed policy:

  • AWSElasticBeanstalkService

This policy provides the necessary permissions for Elastic Beanstalk to manage resources on your behalf, including checking for managed updates and monitoring environment health.

For the EC2 instance profile, create another IAM role and attach these managed policies:

  • AWSElasticBeanstalkWebTier (for web server environments)
  • AWSElasticBeanstalkWorkerTier (for worker environments)
  • AWSElasticBeanstalkMulticontainerDocker (if using multi-container Docker)

These policies grant the EC2 instances the required permissions to interact with other AWS services that Elastic Beanstalk environments typically use.

After creating these roles, update your Elastic Beanstalk environment configuration:

  1. Set the service role to the newly created Elastic Beanstalk service role.
  2. Set the instance profile to the newly created EC2 instance profile.

Keep in mind that permission changes can take up to two hours to propagate fully. After making these changes, wait for a while and then try to redeploy your application.

Additionally, ensure that the trust relationships for these roles are properly configured. The Elastic Beanstalk service role should trust the elasticbeanstalk.amazonaws.com service, while the EC2 instance profile should trust the ec2.amazonaws.com service.

By separating the roles and ensuring they have the correct permissions, you should be able to resolve the suspended status and deployment issues in your Elastic Beanstalk environment.
Sources
Managing Elastic Beanstalk instance profiles - AWS Elastic Beanstalk
Elastic Beanstalk Service roles, instance profiles, and user policies - AWS Elastic Beanstalk
Your AWS Elastic Beanstalk environment security - AWS Elastic Beanstalk
Using service-linked roles for Elastic Beanstalk - AWS Elastic Beanstalk

profile picture
answered a month ago
profile picture
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions