Copy S3 object to another S3 location Elastic Beanstalk SSH setup error

0
votes

Getting this Elastic Beanstalk permission error when trying to do:

eb ssh --setup

2020-07-06 07:36:50    INFO    Environment update is starting.      
2020-07-06 07:36:53    ERROR   Service:Amazon S3, Message:You don't have permission to copy an Amazon S3 object to another S3 location. Source: bucket = 'tempsource', key = 'xxx'. Destination: bucket = 'tempdest', key = 'yyy'.
2020-07-06 07:36:53    ERROR   Failed to deploy configuration.

Is there a specific policy that I should be adding to my IAM permissions? I've tried adding full S3 access to my IAM User, but the error remains. Or is a permissions error associated with the source bucket?

Some more details:

Both buckets are in the same AWS account. The copying operation doesn't work for AWS CLI copy commands.

Bucket Profiles

Source Bucket

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/aws-elasticbeanstalk-ec2-role"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::SOURCE_BUCKET/*"
        },
        {
            "Sid": "Stmt2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/aws-elasticbeanstalk-ec2-role"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::SOURCE_BUCKET"
        }
    ]
}

Destination Bucket (elasticbeanstalk-us-west-2-XXXXXXXXXXXX)

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "eb-ad78f54a-f239-4c90-adda-49e5f56cb51e",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/aws-elasticbeanstalk-ec2-role"
            },
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX/*",
                "arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX/resources/environments/logs/*"
            ]
        },
        {
            "Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/aws-elasticbeanstalk-ec2-role"
            },
            "Action": [
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX",
                "arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX/resources/environments/*"
            ]
        },
        {
            "Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:DeleteBucket",
            "Resource": "arn:aws:s3:::elasticbeanstalk-us-west-2-XXXXXXXXXXXX"
        }
    ]
}
1
amazon-web-servicesamazon-s3amazon-elastic-beanstalkamazon-iam

1 Answers

0
votes

I've tried adding full S3 access to my IAM User, but the error remains.

The error is not about about your IAM permissions (i.e. your IAM user). But its about a role that EB is using your the instance (i.e. instance role/profile):

The defualt role used on the instances in aws-elasticbeanstalk-ec2-role. Thus you can locate it in IAM console, and add required S3 permissions. Depending on your setup, you may be using different role.

Or is a permissions error associated with the source bucket?

If you have bucket policies that deny the access, it could also be the reason.