Deploying to AWS Elastic Beanstalk using AWS CodeBuild and EB CLI

2
votes

I'm trying to setup AWS Codebuild to deploy an application to AWS Elastic Beanstalk.

The problem is that it seems that the EB CLI is not available from AWS CodeBuild (It seems like it should, reading this... https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/eb-cli-codebuild.html)

So when I specify an eb cli command on CodeBuild:

version: 0.2

phases:
  install:
    commands:
      - echo Logging into Amazon ECR...
      - eb init --platform "multi-container-docker-18.03.1-ce-(generic)" --region us-west-1 application

I get:

/codebuild/output/tmp/script.sh: eb: not found

I also tried installing the CLI with:

- pip install --upgrade awsebcli awscli
- eb init --platform "multi-container-docker-18.03.1-ce-(generic)" --region us-west-1 application

And extended the generated AWS CodeBuild role with full access to Elastic Beanstalk

But I get this error:

ERROR: NotAuthorizedError - Operation Denied. Access Denied

I added a --debug flag to the command, and this is the exact error:

2018-09-10 13:33:55,151 (DEBUG) ebcli.lib.aws : Making api call: (elasticbeanstalk, describe_configuration_settings) to region: us-west-1 with args:{'ApplicationName': 'application', 'EnvironmentName': 'staging'}
2018-09-10 13:33:55,495 (DEBUG) ebcli.lib.aws : Response: {'Error': {'Type': 'Sender', 'Code': 'InsufficientPrivilegesException', 'Message': 'Access Denied'}, 'ResponseMetadata': {'RequestId': '32f4e739-1694-4aa2-9e2e-076ec4861ae7', 'HTTPStatusCode': 403, 'date': 'Mon, 10 Sep 2018 13:33:55 GMT', 'RetryAttempts': 0}}
2018-09-10 13:33:55,495 (DEBUG) ebcli.lib.aws : API call finished, status = 403

Am I missing something? How can I use the EB CLI from CodeBuild properly?

1
amazon-web-servicesamazon-elastic-beanstalkaws-codebuild
At what point are you getting the NotAuthorizedError? - progfan
@progfan I'm getting the error after the call to eb init - Carlos Martinez
Can you do eb init --debug? This will show a stack trace, but in the lines leading up to it, there should also be an indication of which API call failed. This will likely be the last debug log statement of the kind Making api call: (<service name>, <operation>). You would likely need to give your user role permissions to that service + operation. - progfan
@progfan I added the debug flag and I can see a more precise error, I updated the question with the error. I can see that the "DescribeConfigurationSettings" endpoint is giving back a 403 status, but I already attached that policy to the service role (by giving full access). - Carlos Martinez
Is there a chance this error could happen because the CodeBuild service and the beanstalk application are on different regions? - Carlos Martinez

1 Answers

5
votes

It turns out the EBCLI needs more than just the Elastic Beanstalk policy to work. That is why I was still getting an authentication error even though I attached a Full Access policy for Elastic Beanstalk.

What I did to understand the policies required was to create an IAM role with full access to all services, an attach it to the AWS CodeBuild project.

Then, going to IAM Roles -> Role name -> Access advisor you can check exactly what were the policies used by the project so you can create a proper Role for the service.

Notes:

  • Recent activity usually appears within 4 hours. (It's likely that you won't see all the services being used in Access Advisor right away)
  • You can start by using the AWSElasticBeanstalkFullAccess built-in policy instead of the AdministratorAccess policy to pinpoint what services are being used with the eb client