I have created a few environments before so I know how the Amazon EBS works however lately I have been having the following issue while creating an environment:
The instance profile aws-elasticbeanstalk-ec2-role associated with the environment has no role. Please attach a role to the instance profile.
I follow the steps to create a new environment. When it gets to the Permissions page, I create a new role as there are no existing ones. Then I follow the rest of the steps and eventually it starts to launch. After a couple minutes, I get the error above. Any help towards this will be helpful.
To solve this issue, I created a new role from the IAM Manager console. I selected Amazon EC2 as my Service Role Type. I attached the AWSElasticBeanstalkFullAccess policy. Then when creating a new environment, I chose the new role I created.
Though I am bit late in answering this issue, posting here if someone faces this error now.
In case your user has all the required permission to create role and BS has already created the "The instance profile aws-elasticbeanstalk-ec2-role".
The reason of this error is due to roles only and when we try to launch EC2 from aws BS, it creates a role naming "aws-elasticbeanstalk-ec2-role" with required permissions.
But, if there is already a role with Trusted entities "AWS service: ec2" so BS will check permission in that already existing older role.
So go to Roles > Search ec2 related roles and select the role which is active.
And just add AWSElasticBeanstalkFullAccess permission to that ec2 role, and this issue will be resolved.
Related
I have the following demo role created for AWS:
with the following trust relationship:
Now, I am trying to modify the role of an EC2 instance to be DemoRoleForEC2, but the role is not appearing in the dropdown list:
According to this answer here: IAM Role not showing in aws console in Modify IAM role page , it should be working fine as the Trust Relationships are ok, but it is not.
Other things I tried was stopping and restarting the EC2 Instance, and trying to create the role from the "Modify Role for IAM" page, but none worked. Any idea what the issue might be?
Just to update this answer, apparently, what is happening is that when creating a role, its instance profile is not being automatically created (I haven't figured out the reason yet). What I did was running these two commands on CLI:
aws iam create-instance-profile --instance-profile-name MyRoleInstanceProfile
aws iam add-role-to-instance-profile --role-name MyRole --instance-profile-name MyRoleInstanceProfile
And then the role will appear in the list in the "Modify Role for IAM" page.
One thing to check is the browser you are using to do this task and any browser extensions you may have installed.
I hit this issue where I was creating an EC2 role via the AWS console but it was not creating the instance profile.
I found the issue to be because I was using chrome and with the ClearURLs extension. I disabled this extension and when I then tried to create the role via the console, then the instance profile was also being created.
In my case I was creating an instance profile and adding a role with the CLI. Then, the instance profile was not showing up on EMR but it was appearing on EC2. After several attempts I tried naming the instance profile and the role with the same name (and no special characters), and then it worked.
I'm deploying a service to amazon ecs through docker. I need to assign an IAM role to the cluster that allows it to communicate with secrets manager, as that's where some of the important configuration comes from. However, when trying to select the iam role, I get this error message:
Error message
So I tried following the amazon documentation and going to the account settings tab signed in as the root account, only to find that the settings were already enabled by default. So now I'm sort of stuck as to what to do at this point. Is there something I'm missing here?
resources already enabled
From your screenshot what I understand is that the IAM role you are using to deploy the container does not have "ecsInstanceRole" in your IAM roles. You could use the following steps to create it.
Open the IAM console at https://console.aws.amazon.com/iam/
In the navigation pane, choose Roles and then choose Create role.
Choose the AWS service role type, and then choose Elastic Container Service.
Choose the EC2 Role for Elastic Container Service use case and then Next: Permissions.
In the Attached permissions policy section, select AmazonEC2ContainerServiceforEC2Role and then choose Next: Review.
Important
The AmazonEC2ContainerServiceforEC2Role managed policy should be attached to the container instance IAM role, otherwise you will receive an error using the AWS Management Console to create clusters.
For Role name, type ecsInstanceRole and optionally you can enter a description.
Review your role information and then choose Create role to finish.
or you can follow the below document:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html
This is a strange one... If I click on the instance id, and then navigate to security, it tells me the instance has role X. Then I back out to view all instances, mark the checkbox for the instance in question, go to Actions -> Security -> Modify IAM Role, and it shows me a different role, role Y. I then try to set it to No IAM Role (or any various role), and I get this error:
"Multiple roles associated to instance
The selected instance has more than one IAM role associated. This usually occurs when the instance is in the process of replacing an existing instance profile association. "
I have no idea what to do because I didn't think an EC2 instance was supposed to be able to have two roles... nothing can assume two roles at once, anyway. So this feels like a bug... can anyone help me solve this?
I had the same issue and it seems that when replacing the instance profile it somehow stays in a state that's not completely associated.
Using the CLI we can see the status of the profile association:
aws ec2 describe-iam-instance-profile-associations
In my case the problematic profile was showing as "associating", while all the others show "associated".
Get the AssociationID for the problematic association and disassociate it with the command
aws ec2 disassociate-iam-instance-profile --association-id iip-assoc-xxxxxx
After that you should see the previous profile you had originally and everything should be consistent.
Hope it helps solving the problem.
I wanted to expound on Nelson Brito's answer since I found a way to return your instance to a normal state. I ran into this situation yesterday when helping a user, and I observed my instance with two profile associations -- one in a state of associating and one in a state of disassociating. The command to find this was:
aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-xxxxxx
To fix the issue, I first removed the associating profile using the command:
aws ec2 disassociate-iam-instance-profile --association-id iip-assoc-xxxxxx
Next, I went to the console and detached the instance from all profiles (there is probably a CLI invocation, but I didn't figure it out). When done, you should have a clean instance:
aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-xxxxxx
{
"IamInstanceProfileAssociations": []
}
Here's where we get to the root cause. When I re-assigned the role that was previously stuck in associating, well, it remained stuck in associating. The root cause of my problem was that the user had created the role without setting a trust relationship with EC2. The fix was two parts:
Update the instance trust relationship to add "Service": "ec2.amazonaws.com" as an allowed principal
Use the CLI to disassociate the role and add it again
tl;dr - If you ever run into this, ensure that the role you're trying to assign to your ec2 instance can be assumed by your ec2 instance.
We had the issue Multiple roles associated to instance after bringing an existing EC2 into CloudFormation. Nelson Brito's answer helped to resolve the issue.
To avoid the issue altogether when bringing an existing EC2 into CloudFormation, I now recommend
first disassociate the IAM role (for example via the AWS Console)
import the EC2 only, i.e. without InstanceProfile and Role in the import template
add InstanceProfile and Role to the template and update the stack.
When I try to launch an Elastic Beanstalk environment from the command line, I get this error during the process:
Environment health has transitioned from Pending to Warning. Access
denied while accessing Auto Scaling and Elastic Load Balancing using
role "arn:aws:iam::XXXXXXXXXX:role/aws-elasticbeanstalk-service-role".
Verify the role policy.
When I launch it from the console, I do not get this warning. I have tried to replicate the same AWS console configuration from the CLI , but I still get this error.
Any clue what's going on?
If anyone is still getting a similar error and is still unsure how to solve it
Navigate to IAM in the AWS Console.
Navigate to the aws-elasticbeanstalk-service-role (under Access Management > Roles).
Attach the following policies:
AutoScalingFullAccess
ElasticLoadBalancingFullAccess
I then rebuilt the environment, no more errors!
The following article helped me understand this better: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles-service.html
You can go to your IAM console. You will see the "aws-elasticbeanstalk-service-role", Under the permission tab, you can grant the specific you want to give the policy on your behalf. Refresh and you should have "Ok". Make sure the permission you grant the role can manage this " Auto Scaling and Elastic Load Balancing using role"
Elastic Beanstalk now uses a Service Role to call other AWS services on your behalf. The IAM role is created in your account and you give permissions to launch
Service role is optional but recommended for new environments.
Especially for enhanced health monitoring (which is what your using based on the error message), service role is mandatory. A misconfigured service role can lead to this error message.
The console experience makes it very easy for you to create/use the role with the correct permissions. This is because you just need to select the correct role from the dropdown (if the role already exists) when using the create environment wizard.
When using the CLI you need to pass the service role option setting. (namespace: aws:elasticbeanstalk:environment, option_name: ServiceRole). You can find the required permissions for a role configured in this documentation.
There are some more details about service role in my previous stack overflow answer here.
If anyone can not solve the error whit the previous actions what I had to do is:
Add to aws-elasticbeanstalk-service-role the following policies AutoScalingFullAccess | ElasticLoadBalancingFullAccess
Not re-start but build the environment again
(after a while it kept launching the error)
Then I added:
AdministratorAccess-AWSElasticBeanstalk (again to aws-elasticbeanstalk-service-role)
Re-build the environment again
It is working at the moment.
I want to "associate an instance profile" with my environment (to speed up upload performance for my website) but can't find useful instructions on how anywhere in the AWS documentation (or here on SO).
How do I "associate an instance profile" with an environment on AWS?
Not clear what you are trying to accomplish, but if you are look to just 'associate an instance profile', here you go:
http://docs.aws.amazon.com/IAM/latest/UserGuide/instance-profiles.html
An instance profile is a container for an IAM role. Instance profiles
are used to pass role information to an Amazon EC2 instance when the
instance starts. When you use the Amazon EC2 console to launch an
instance with an IAM role, you can select a role to associate with the
instance. In the console, the list that's displayed is actually a list
of instance profile names.
If you use the AWS Management Console to create a role, the console
creates an instance profile automatically and gives it the same name
as the role it corresponds to. However, if you use the CLI, API, the
AWS SDK, or a third-party tool to create roles and instance profiles,
you create the roles and instance profiles as separate actions, and
you might give them different names. In that case, you need to know
the names of your instance profiles as well as the names of roles they
contain so that you can choose the correct instance profile when you
launch an Amazon EC2 instance.
If you are seeing this error when trying to set up a Elastic Beanstalk environment, it could be that the IAM user does not have sufficient permissions. You should add the IAM Policy named IAMFullAccess for that user.
You can check one option that works here for AWS Beanstalk. This is using AWS Console.
Create IAM Role for "EC2" as AWS Service and attach
"AWSElasticBeanstalkFullAccess" policy to it.
Create an AWS Beanstalk environment with tier/platform/application of choice. (I did with Web Tier choosing Docker platform using python:3-onbuild).
Hit "Configure More Options" > "Modify" Security.
Choose "IAM instance profile" which was created in Step 1. (Keep Service role
"aws-elasticbeanstalk-service-role" as this is needed! It has some key policies!)
"Save" and "Create Environment".
Similarly, it should work for AWS CLI and AWS SDK as well. Key here is the instance profile role you choose for EC2 (or say instance IAM role/instance profile) during Beanstalk Environment creation.
You can create customer managed policy extending or reusing AWSElasticBeanstalkFullAccess policy based on need. Refer AWSElasticBeanstalkFullAccess to understand it better. Also, check out some more AWS Managed policies starting with AWSElasticBeanStalk*.
Somehow default aws-elasticbeanstalk-ec2-role policy is not working/taking effect as desired for me.
For what it's worth, the AWS console now displays an alert (see image) that has a link to help you associate the instance profile with your environment. Therefore, if you see this message in the CLI, you probably need to log into the Management Console, navigate to Elastic Beanstalk, and choose your environment. You will then see the message and be able to use the link to resolve the issue.
Note 1: You may need to redeploy your app after associating the profile. I did.
Note 2: It really does make deployments faster.
Orome,
As E.J Brennan pointed out in his post, you must have a role created first, and attach the necessary IAM policies to that role, then you create the instance profile:
aws iam create-instance-profile --instance-profile-name YOUR_INSTANCE_PROFILE_NAME
Then add the role you created in the beginning to the instance profile:
aws iam add-role-to-instance-profile --instance-profile-name YOUR_INSTANCE_PROFILE_NAME --role-name YOUR_ROLE
Then attach the instance profile to your instance:
aws ec2 associate-iam-instance-profile --instance-id YOUR_INSTANCE_ID --iam-instance-profile Name="YOUR_INSTANCE_PROFILE_NAME"
Is this what you are looking for?
As E.J Brennan also pointed out, the AWS management console does the instance profile for you behind the scenes.