Elastic Beanstalk S3 access via .ebextensions

Question

I have a simple file in my .ebextensions folder:

00-myconfig.config

Resources:
    AWSEBAutoScalingGroup:
        Metadata:
            AWS::CloudFormation::Authentication:
                S3Access:
                    type: S3
                    roleName: aws-elasticbeanstalk-ec2-role
                    buckets: my-bucket
files:
    "/tmp/ca-bundle.zip":
        mode: "000755"
        owner: root
        group: root
        source: https://s3-ap-southeast-2.amazonaws.com/my-bucket/ca/ca-bundle.zip
        authentication: S3Access

Which according to multiple answers is the way to grant S3 bucket access to the aws-elasticbeanstalk-ec2-role role.

But I continue to get the 403 error in /var/log/eb-activity.log

[2015-08-26T01:27:03.544Z] INFO  [22320] - [Application update/AppDeployStage0/EbExtensionPreBuild/Infra-EmbeddedPreBuild] : Activity execution failed, because: Failed to retrieve https://s3-ap-southeast-2.amazonaws.com/my-bucket/ca/ca-bundle.zip: HTTP Error 403 : <?xml version="1.0" encoding="UTF-8"?> (ElasticBeanstalk::ExternalInvocationError)

If I manually add an S3 access policy to the aws-elasticbeanstalk-ec2-role role everything works, so I know I don't have misspellings in URLS or anything else, the EC2 instance is definitely in the correct role.

What is wrong?

PS. I tried the files section with or without the 'authentication' setting.

Answer 1

I've figured it out and I feel a little bit silly for not picking this up sooner.

So for anyone that uses AWS::CloudFormation::Authentication path, the solution of course is:

Make sure your BUCKET policy allows your aws-elasticbeanstalk-ec2-role. DOH!!

It should look something like this:

{
    "Id": "Policy1111Blah",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1440Blah",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::11111111111:role/aws-elasticbeanstalk-ec2-role"
                ]
            }
        }
    ]
}

You can grab the ARN from IAM console.

The instructions in your .ebextensions config files only tell the EB deploy tools what to use to authenticate, but your source bucket (if private obviously) needs to allow that principal access!!!