skip to Main Content

Since last week, all our systems on Elastic Beanstalk suddenly failed to install the latest platform update, 4.2.7 to 4.3.0, as part of a weekly managed update process. This came as an unwelcome surprise, as platform updates have been working without any issues for at least the last 36 months.

The reason for the failure is that the ec2:CreateTags permission is not available for arn/**/elastic-ip/ in the AwsElasticBeanstalkManagedUpdatesCustomerRolePolicy, which is attached to the aws-elasticbeanstalk-service-role.

Adding this permission to the role resolves the issue. However, I have the following two questions:

  1. Why does the AwsElasticBeanstalkManagedUpdatesCustomerRolePolicy not contain this permission in the first place, if it is required for the platform update?
  2. Why is this permission suddenly required when it has not been required for at least the last 36 months? Have we missed an important update? Is AwsElasticBeanstalkManagedUpdatesCustomerRolePolicy no longer the correct policy for managed updates?

2

Answers


  1. Experiencing exactly the same issue with multiple Beanstalk environments for years without issue.

    We were using an older built-in policy and simply replaced it with AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy because it did – at the time – contain the necessary ec2:createTags permission.

    This weekend all our Beanstalk environments suffered failures when performing the managed weekly maintenance; once again due to the missing ec2:createTags permission.

    Having a look through AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy I’m surprised to see that it no longer contains this permission. This is all very strange.

    Will be adding in the permission as an in-line policy to prevent further issues.

    Login or Signup to reply.
  2. We are facing the same problem, we opened an issue on the roadmap

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search