[Django]-Error with not existing instance profile while trying to get a django project running on AWS Beanstalk

15đź‘Ť

âś…

That role is created the first time you use the elastic beanstalk console. The CLI also attempts to create it, but your IAM user doesn’t have permissions to create it. You can fix this error by logging in to the console and getting to the platform selection page. You will notice that it will ask you to create a role.

Otherwise, you can give your IAM user create role permissions and the CLI will create the role for you.

👤Nick Humrich

32đź‘Ť

Earlier Elastic Beanstalk used to create a default EC2 instance profile named aws-elasticbeanstalk-ec2-role the first time an AWS account create an environment. This instance profile included default managed policies. However, recent AWS security guidelines don’t allow an AWS service to automatically create roles with trust policies to other AWS services, EC2 in this case. Because of these security guidelines, Elastic Beanstalk no longer creates a default aws-elasticbeanstalk-ec2-role instance profile.

So if your AWS account doesn’t have an EC2 instance profile, you must create one using the IAM service. You can then assign the EC2 instance profile to the new environments that you create.

Open IAM Console → In the navigation pane of the console, choose Roles and then create role → Under Trusted entity type, choose AWS service → Under Use case, choose EC2 → Choose Next → Attach- AWSElasticBeanstalkWebTier, AWSElasticBeanstalkWorkerTier, AWSElasticBeanstalkMulticontainerDocker → Choose Next → Enter a name for the role – aws-elasticbeanstalk-ec2-role → Choose Create role.

If you already have an instance profile, make sure you have below-required policies. To meet the default use cases for an environment, these policies must be attached to the role for the EC2 instance profile:-

Role name: aws-elasticbeanstalk-ec2-role

Permission policies attached:-

  • AWSElasticBeanstalkWebTier
  • AWSElasticBeanstalkWorkerTier
  • AWSElasticBeanstalkMulticontainerDocker

Trust relationship policy for EC2:-

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

enter image description here

enter image description here

Hope this helps.

👤Arpit Jain

12đź‘Ť

If someone don’t want or can’t to create the role using the aws elb web console, you just need to create the role manually and add these policies:

  • AWSElasticBeanstalkWebTier
  • AWSElasticBeanstalkMulticontainerDocker
  • AWSElasticBeanstalkWorkerTier

enter image description here

Coming soon:

Test if this role is mandatory. Maybe we just need to add this policies to the current user

👤JRichardsz

3đź‘Ť

You can check one option that works here for AWS Beanstalk. This is using AWS Console.

  1. Create IAM Role for “EC2” as AWS Service and attach
    “AWSElasticBeanstalkFullAccess” policy to it.
  2. Create an AWS Beanstalk environment with tier/platform/application of choice. (I did with Web Tier choosing Docker platform using python:3-onbuild).
  3. Hit “Configure More Options” > “Modify” Security.
  4. Choose “IAM instance profile” which was created in Step 1. (Keep Service role
    “aws-elasticbeanstalk-service-role” as this is needed! It has some key policies!)
  5. “Save” and “Create Environment”.

Similarly, it should work for AWS CLI and AWS SDK as well. Key here is the instance profile role you select for EC2 (or say instance IAM role/instance profile) during Beanstalk Environment creation.

You can create customer managed policy extending or reusing AWSElasticBeanstalkFullAccess policy based on need. Refer AWSElasticBeanstalkFullAccess to understand it better. Also, check out some more AWS Managed policies starting with AWSElasticBeanStalk*.

Somehow default aws-elasticbeanstalk-ec2-role policy is not working/taking effect as desired for me. I am getting same error message as reported above if I go with default policy.

1đź‘Ť

I was facing same issue but then fixed it by first creating a test environment from browser GUI, which will create all necessary roles and then run command eb create from CLI. After successful creation of required env you can delete the test env.

👤Rakesh Mishra

1đź‘Ť

As others have said: AWS has a bug here, it no longer allows its Environment builder to create the required roles automatically. You have to create them manually.

And you have to create two for ElasticBeanstalk: one whose "Service or use case" is associated with elasticbeanstalk and the other that is associated with EC2.

When you follow the console steps to create an environment, you will be prompted for both. The current error is that they are currently not considered as required, whereas they are, since the wizard will not be able to automatically create them.

Make sure to fill both highlighted roles:

enter image description here

0đź‘Ť

I had the exact same problem.
Contrary to what the Amazon AWS doc wants you to believe, the aws-elasticbeanstalk-ec2-role was not automatically created.
I ended up rolling my own in the IAM -> roles section.

enter image description here

Leave a comment