Elastic beanstalk instance cannot access private S3 file

7
votes

I'm trying to set up an AWS elastic beanstalk single instance with SSL, and I would like to store the private key in S3 and have the instance retrieve the key after deployment (to avoid submitting the private key to version control).

As per the AWS documentation at: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-storingprivatekeys.html, I have set up my config, stored at myproject/.ebextensions/privatekey.config:

Resources:
  AWSEBAutoScalingGroup:
    Metadata:
      AWS::CloudFormation::Authentication:
        S3Auth:
          type: "s3"
          buckets: ["my_bucket"]
          roleName:
            "Fn::GetOptionSetting":
              Namespace: "aws:autoscaling:launchconfiguration"
              OptionName: "IamInstanceProfile"
              DefaultValue: "aws-elasticbeanstalk-ec2-role"
files:
  # Private key
  /path/to/private/key:
    mode: "000400"
    owner: root
    group: root
    authentication: "S3Auth"
    source: https://s3.eu-west-2.amazonaws.com/my_s3_bucket/my_private_key

However, whenever I deploy I get the error: Command failed on instance. Return code: 1 Output: Failed to retrieve https://s3.eu-west-2.amazonaws.com/my_bucket/my_private_key: 'NoneType' object has no attribute 'is_default'.

I have checked the configuration in elastic beanstalk and the project has the instance profile of aws-elasticbeanstalk-ec2-role, and this role definitely has the correct policy for S3 (I have even assigned it AmazonS3FullAccess, which shouldn't be necessary!)

When I test with a file that is publicly accessible, I can get it to work fine. However, not when the file is private.

1
amazon-web-servicesamazon-s3amazon-elastic-beanstalkamazon-iam
i am not quite sure but is the private key a folder or file name, filenames have extension for the purpose of identification and may be EBS is unable to determine that. Try upload a normal private key, with an extension - user4237179
I am having the same problem, did you find a solution? - João Abrantes
I did get this working and, honestly, I never actually figured out the problem, or why it started working. I will post the working code now and point out the differences so you can try them. - Nicholas
Hi, I've just noticed @MainaWycliffe answer from April 5th. Thinking back I think this was actually the issue, and fixed by using a file extension. Joao, have you tried adding an extension to the file? - Nicholas

1 Answers

0
votes

I had this issue with an EC2 instance in the eu-west-2 region. I have not been able to replicate it in other regions.

If you are having this issue, and the EC2 instance is in the eu-west-2 region try this work around, just format the URL differently:

Instead of: https://s3.eu-west-2.amazonaws.com/elasticbeanstalk-eu-west-2-XXXXXXXXX/yourfolderpath/server.key

Try: https://elasticbeanstalk-eu-west-2-XXXXXXXXX.s3-eu-west-2.amazonaws.com/yourfolderpath/server.key