Could not connect to Amazon SimpleDB from Elastic Beanstalk

1
votes

I have an application which communicates with Amazon SimpleDB. Everything works fine when running on localhost, where I deploy this webapp to my Tomcat instance.

I specified the AWS credentials as environmental variables both on my local Tomcat and also on Elastic Beanstalk where I deployed the application.

However, on the Elastic Beanstalk, I get an Autowire exception (it's a spring-boot application) which is caused by the following:

Caused by: com.amazonaws.AmazonServiceException: User (arn:aws:sts::295923482971:assumed-role/aws-elasticbeanstalk-ec2-role/i-b35eef66) does not have permission to perform (sdb:ListDomains) on resource (arn:aws:sdb:us-east-1:295923482971:domain/). Contact account owner. (Service: AmazonSimpleDB; Status Code: 403; Error Code: AuthorizationFailure; Request ID: a20f4ed9-a54d-ec13-2886-b5d31cce3778)
    at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1088)
    at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:735)
    at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:461)
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:296)
    at com.amazonaws.services.simpledb.AmazonSimpleDBClient.invoke(AmazonSimpleDBClient.java:1021)
    at com.amazonaws.services.simpledb.AmazonSimpleDBClient.listDomains(AmazonSimpleDBClient.java:708)
    at com.amazonaws.services.simpledb.AmazonSimpleDBClient.listDomains(AmazonSimpleDBClient.java:974)
    at com.berrycloud.paypal.service.impl.SimpleDBServiceImpl.init(SimpleDBServiceImpl.java:53)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at

This happens during the startup where I am autowiring a class the following code:

  @PostConstruct
  private void init() {
    log.debug("Setting database client endpoint: {}", endpoint);
    client.setEndpoint(endpoint);

    // check if the domain exists
    log.debug("Listing existing domains...");

    final List<String> tableNames = client.listDomains().getDomainNames();
    if (!tableNames.contains(domain)) {
      // if not, create it
      log.debug("Creating domain {}", domain);
      client.createDomain(new CreateDomainRequest(domain));
    }
  }

I am using the same AWS credentials both locally and on the Elastic Beanstalk so I do not understand why does it work in the first case but fails in the other. Could someone help me out?

2
javatomcatamazon-web-servicesspring-bootamazon-elastic-beanstalk

2 Answers

1
votes

Do you have any policy for the user ? generally, it means the IAM policy is not good enough, you can read more here

you can try adding : 

{
   "Version": "2015-09-14",
   "Statement":[{
      "Effect":"Allow",
      "Action":"sdb:ListDomains",
      "Resource":"arn:aws:sdb:us-east-1:295923482971:domain/<youraccount>"
      }
   ]
}
0
votes

There is even a simple way to figure out what policies are missing by using

PolicySimulator from AWS.

  • Select service you want to simulate for
  • Select actions pertaining to that service
  • Either use an existing policy or create a new temp policy to try it

enter image description here