If I am member of an organization on AWS, and I use my member account to upload an Elastic Beanstalk app to a specific region via CLI, will it show up for management account as well? Or do I need to change something in settings somewhere to make the app upload to organization's AWS and not my own console. Need clarification
Currently, I used my member account keys in CLI to create and deploy elastic beanstalk app in specific region. It is working fine. However, the organization management account cannot see the environment in their console.
Any clarification would be very much appreciated! As I am not expert in AWS and have only used it as IAM user before to deploy apps.
Related
I as an admin have created several Elastic Beanstalk applications in AWS.
Now I want to give some of my team members access to login into AWS and view EBS logs - I mean read-only access. I don't want them to be able to update or deploy or crate new Elastic Beanstalk application.
If I give them AWSElasticBeanstalkReadOnlyAccess the user is unable to see anything in Elastic Beanstalk.
Look at the section Enabling Read-Only Access to Elastic Beanstalk Logs
on this page - https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.managed-policies.html
The mistake I was doing is the region of two users were different. Admin user configured the cloud watch logs in region N. Virginia for support user. When support user was login the default region was Ohio and support user was unable to see logs. After selecting N. Virginia region for support the support user can see logs.
While setting up the EC2 and AWS roles for deploying a website from CodeCommit using CodePipeline, there was little detail about the potential security concerns to take into account (following the various online tutorials, which were few and far between)
For the IAM roles for the EC2 Instance, and the AWS CodeDeploy, what is the bare minimum requirements for a secure and safe environment, to be able to deploy.
My environment is using this for development(inside a public subnet), and a live website(inside a private subnet, accessing via ELB). PHP coded sites.
My concern is somehow someone can inject their own PHP code through some unknown methods and take down the CodeCommit(source) or do other mischievous things.
Thanks!
To use CodeDeploy, IAM role for your EC2 instances should at least have a permission to pull your application artifact from the S3 bucket, and any other permission to AWS services that your website depends on.
I am working on an AWS Elastic Beanstalk app that uploads files to an AWS S3 bucket. The Beanstalk app is a .NET Core Web API app, I've followed this guide (http://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-netcore.html) and have a credentials file on disk for local development with my shared access key and secret. These are the key and secret of the user that I created an S3 bucket with. That user has full access to S3 through IAM. In local development, the application uploads to S3 without a hiccup.
When I deployed the app to the Elastic Beanstalk platform, upload to S3 doesn't work in the elastic beanstalk environment. Local version is still fine.
I deployed the app to AWS Elastic Beanstalk using the AWS Toolkit for visual studio and specified that the app should have S3 full access during the creation process. I have since gone into the instance's role config and verified that it does in fact have S3 full access as a permission. I get an exception that the server terminated the connection abnormally after a timeout when attempting the upload. Is there a step or configuration piece I'm missing? Is there a way I can specify the same shared access key and secret I use locally on the beanstalk app so I can test it? I haven't found a way to give it any credentials from a file or the like.
Thanks,
Sam
For anybody that comes looking with a similar issue. It turned out that my S3 bucket and EB app were in separate regions and this made it so there was a network issue between the two.
I'm logging into a role through SSO and I'm trying to create a new Elastic Beanstalk environment (newest tomcat if it matters) and I am getting the following error which is preventing me from even getting the environment started building:
(Namespace: 'aws:elasticbeanstalk:environment', OptionName: 'ServiceRole'): Invalid service role
This is happening even when I am trying to clone an existing environment. I've tried to auto generate a service role and to manually create one. Both are giving the error. This error does not happen when I am logging into a user with the same permissions.
When you clone an environment using the Elastic Beanstalk console, you have the option to choose a new platform and a service role. Service role is a new concept in beanstalk documented here. Service is not required if you are using basic health monitoring but it is required if you choose to use enhanced health monitoring.
When creating an environment you can choose to pass an IamInstanceProfile (typically named aws-elasticbeanstalk-ec2-role) and a service role (typically named aws-elasticbeanstalk-service-role). These two roles are required when using Enhanced Application Health Monitoring.
Please note that these two roles require a completely a different set of permissions and you should use different roles for each of them. You can find the list of permissions required for Service Role and Instance profile documented here.
When creating/cloning/modifying environments using AWS console you will be shown an option to choose a service role. If you have never used a Service role before, you will be presented with an option to "Create a new role". The console allows you to create the Service role required by beanstalk using a single button click. You can view the permissions before creating the role.
After the first create, the console will present you with a dropdown with the role you created previously (typically named aws-elasticbeanstalk-service-role) and you can reuse this service role.
From the documentation: "A service role is the IAM role that Elastic Beanstalk assumes when calling other services on your behalf. Elastic Beanstalk uses the service role that you specify when creating an Elastic Beanstalk environment when it calls Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, and Auto Scaling APIs to gather information about the health of its AWS resources."
When creating/using a role you need to make sure the IAM user has pass role permission for the role you created. In case you are not using the root account make sure you have the correct policies for the IAM user.
Note the iam:PassRole permission allows your IAM user to pass the role to beanstalk service.
Update
There was an issue with Single Sign On that has now been resolved. Please update here or in the AWS forum thread below if you are still seeing issues.
AWS forum thread: https://forums.aws.amazon.com/thread.jspa?threadID=171369
I got the same error yesterday and a different one today using the same stack "Unable to assign role. Please verify that you have permission to pass this role: XXXXXX."
And I solved assigning this policy "AWSElasticBeanstalkFullAccess" to my user
Here you could read more:
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles.html#concepts-roles-user
There seems to be a thread on aws support forum here: https://forums.aws.amazon.com/thread.jspa?messageID=670359
I am having the same issue when trying to access a beanstalk environment via crossaccount iam policy.
I think that logging into console with an IAM account that belongs to that particular AWS account with resolve the issue. Im certain AWS folks are working on it
When using the web UI for AWS Elastic Beanstalk Environment management, I see:
Code change deployments will complete faster if you associate an
instance profile with this environment.
(also see this forum post mentioning the same thing: http://www.infosys.tuwien.ac.at/staff/leitner/cs_study/forum/viewtopic.php?pid=186#p186)
What is an instance profile? Why does it matter? How does it work / what is it doing?
I found these articles:
http://docs.aws.amazon.com/IAM/latest/UserGuide/instance-profiles.html
http://docs.aws.amazon.com/cli/latest/reference/iam/create-instance-profile.html
but I still don't understand instance profiles.
Like Celine said in the comment above, instance profiles allow you to associate an IAM role to your instance. This IAM role must be provided with certain permissions to access your AWS resources. Your EC2 instance (launched by Elastic Beanstalk) can then perform certain extra tasks. For example if you launch a worker tier environment with Elastic Beanstalk the daemon needs to poll from SQS queue, publish metrics to cloudwatch from the EC2 instance. This means that the EC2 instance needs some credentials to poll from a queue. If you have an IAM role with appropriate policies associated with the EC2 instance you essentially permit your instance to call SQS using the credentials of that role.
You can do other interesting things like automatic log publication to your S3 bucket if you have an instance profile associated with your environment.
Having an instance profile allows you to control permissions you want to give to the instance and also frees you from storing long term credentials on all your EC2 instances.
From the documentation:
Instance profiles provide applications and services access to AWS
resources. For example, your application may require access to
DynamoDB. Every API request made to AWS services must be signed using
AWS security credentials. One way to grant applications access to AWS
resources is to distribute your credentials to each instance; however,
distributing long-term credentials to each instance is challenging to
manage and a potential security risk. Instead, you can create an IAM
role with the permissions that applications require when the
application makes calls to other AWS resources. When AWS Elastic
Beanstalk launches the Amazon EC2 instances, it uses the instance
profile associated with that role. All applications that run on the
instances can use the role credentials to sign requests. Because role
credentials are temporary and rotated automatically, you don't have to
worry about long-term security risks.
The message you are seeing on the console regarding console is recommending you to use an instance profile because that allows your EC2 instance to take a faster path to deploy your application version each time you update your environment with a new copy of your source code. The end result is the same but having an instance profile enables optimizations in deployment speed which are not possible without one.
You can read more about instance profiles with Elastic Beanstalk here.
Although you can create a custom role and associate it with a beanstalk environment by giving it appropriate permissions, you can for convenience just get a default role when you launch an environnment using the AWS console. You will have the option of choosing which role you want to associate with an environment in the create environment wizard.