15đź‘Ť
That role is created the first time you use the elastic beanstalk console. The CLI also attempts to create it, but your IAM user doesn’t have permissions to create it. You can fix this error by logging in to the console and getting to the platform selection page. You will notice that it will ask you to create a role.
Otherwise, you can give your IAM user create role permissions and the CLI will create the role for you.
32đź‘Ť
Earlier Elastic Beanstalk used to create a default EC2 instance profile named aws-elasticbeanstalk-ec2-role
the first time an AWS account create an environment. This instance profile included default managed policies. However, recent AWS security guidelines don’t allow an AWS service to automatically create roles with trust policies to other AWS services, EC2 in this case. Because of these security guidelines, Elastic Beanstalk no longer creates a default aws-elasticbeanstalk-ec2-role
instance profile.
So if your AWS account doesn’t have an EC2 instance profile, you must create one using the IAM service. You can then assign the EC2 instance profile to the new environments that you create.
Open IAM Console → In the navigation pane of the console, choose Roles and then create role → Under Trusted entity type, choose AWS service → Under Use case, choose EC2 → Choose Next → Attach- AWSElasticBeanstalkWebTier, AWSElasticBeanstalkWorkerTier, AWSElasticBeanstalkMulticontainerDocker → Choose Next → Enter a name for the role – aws-elasticbeanstalk-ec2-role
→ Choose Create role.
If you already have an instance profile, make sure you have below-required policies. To meet the default use cases for an environment, these policies must be attached to the role for the EC2 instance profile:-
Role name: aws-elasticbeanstalk-ec2-role
Permission policies attached:-
AWSElasticBeanstalkWebTier
AWSElasticBeanstalkWorkerTier
AWSElasticBeanstalkMulticontainerDocker
Trust relationship policy for EC2:-
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Hope this helps.
- [Django]-Django error: needs to have a value for field "…" before this many-to-many relationship can be used
- [Django]-Redirect to same page after POST method using class based views
- [Django]-Django: CSRF token missing or incorrect
12đź‘Ť
If someone don’t want or can’t to create the role using the aws elb web console, you just need to create the role manually and add these policies:
- AWSElasticBeanstalkWebTier
- AWSElasticBeanstalkMulticontainerDocker
- AWSElasticBeanstalkWorkerTier
Coming soon:
Test if this role is mandatory. Maybe we just need to add this policies to the current user
- [Django]-Convert seconds to hh:mm:ss in Python
- [Django]-Django-Compressor throws UncompressableFileError
- [Django]-How to get unique users across multiple Django sites powered by the "sites" framework?
3đź‘Ť
You can check one option that works here for AWS Beanstalk. This is using AWS Console.
- Create IAM Role for “EC2” as AWS Service and attach
“AWSElasticBeanstalkFullAccess” policy to it. - Create an AWS Beanstalk environment with tier/platform/application of choice. (I did with Web Tier choosing Docker platform using python:3-onbuild).
- Hit “Configure More Options” > “Modify” Security.
- Choose “IAM instance profile” which was created in Step 1. (Keep Service role
“aws-elasticbeanstalk-service-role” as this is needed! It has some key policies!) - “Save” and “Create Environment”.
Similarly, it should work for AWS CLI and AWS SDK as well. Key here is the instance profile role you select for EC2 (or say instance IAM role/instance profile) during Beanstalk Environment creation.
You can create customer managed policy extending or reusing AWSElasticBeanstalkFullAccess policy based on need. Refer AWSElasticBeanstalkFullAccess to understand it better. Also, check out some more AWS Managed policies starting with AWSElasticBeanStalk*.
Somehow default aws-elasticbeanstalk-ec2-role policy is not working/taking effect as desired for me. I am getting same error message as reported above if I go with default policy.
- [Django]-What is the django template tag to get the number of items returned in a result set?
- [Django]-Currently using Django "Evolution", is "South" better and worth switching?
- [Django]-How to use UUID
1đź‘Ť
I was facing same issue but then fixed it by first creating a test environment from browser GUI, which will create all necessary roles and then run command eb create from CLI. After successful creation of required env you can delete the test env.
- [Django]-Whats the difference between Django models and forms?
- [Django]-Django: Rest Framework authenticate header
- [Django]-Optional fields in django models
1đź‘Ť
As others have said: AWS has a bug here, it no longer allows its Environment builder to create the required roles automatically. You have to create them manually.
And you have to create two for ElasticBeanstalk: one whose "Service or use case" is associated with elasticbeanstalk and the other that is associated with EC2.
When you follow the console steps to create an environment, you will be prompted for both. The current error is that they are currently not considered as required, whereas they are, since the wizard will not be able to automatically create them.
Make sure to fill both highlighted roles:
- [Django]-Heroku – Handling static files in Django app
- [Django]-Django-nonrel + Django-registration problem: unexpected keyword argument 'uidb36' when resetting password
- [Django]-Get protocol + host name from URL
0đź‘Ť
I had the exact same problem.
Contrary to what the Amazon AWS doc wants you to believe, the aws-elasticbeanstalk-ec2-role
was not automatically created.
I ended up rolling my own in the IAM -> roles section.
- [Django]-<Django object > is not JSON serializable
- [Django]-How to install virtualenv without using sudo?
- [Django]-WSGI vs uWSGi with Nginx