Access denied while accessing ELB using role “arn:aws:iam::role/aws-elasticbeanstalk-service-role

Posted on by 
I got this error message when I tried to deploy a java sprint application using Elastic beanstalk.

When i analyze this further, it shows that the IAM policy associated with the Service Role is missing the following actions.

"elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTargetHealth",

The IAM associated with the service role had the following configuration.

    “Version”: “2012-10-17”,

{

    “Statement”: [

        {

            “Effect”: “Allow”,

            “Action”: [

                “elasticloadbalancing:DescribeInstanceHealth”,

                “ec2:DescribeInstances”,

                “ec2:DescribeInstanceStatus”,

                “ec2:GetConsoleOutput”,

                “ec2:AssociateAddress”,

                “ec2:DescribeAddresses”,

                “ec2:DescribeSecurityGroups”,

                “sqs:GetQueueAttributes”,

                “sqs:GetQueueUrl”,

                “autoscaling:DescribeAutoScalingGroups”,

                “autoscaling:DescribeAutoScalingInstances”,

                “autoscaling:DescribeScalingActivities”,

                “autoscaling:DescribeNotificationConfigurations”

            ],

            “Resource”: [

                “*”

            ]

        }

    ]

}

To give some background, this is an auto-created Service Role. This was created by Visual Studio 2019 when i used Elastic Beanstalk for .NET applications.

The fix for this is to associate the IAM Policy ‘arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth’ with Service Role

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles-service.html

This turns the Elastic Beanstalk environment health to green.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.