Since last week, all our systems on Elastic Beanstalk suddenly failed to install the latest platform update, 4.2.7 to 4.3.0, as part of a weekly managed update process. This came as an unwelcome surprise, as platform updates have been working without any issues for at least the last 36 months.
The reason for the failure is that the ec2:CreateTags
permission is not available for arn/**/elastic-ip/
in the AwsElasticBeanstalkManagedUpdatesCustomerRolePolicy
, which is attached to the aws-elasticbeanstalk-service-role
.
Adding this permission to the role resolves the issue. However, I have the following two questions:
- Why does the
AwsElasticBeanstalkManagedUpdatesCustomerRolePolicy
not contain this permission in the first place, if it is required for the platform update? - Why is this permission suddenly required when it has not been required for at least the last 36 months? Have we missed an important update? Is
AwsElasticBeanstalkManagedUpdatesCustomerRolePolicy
no longer the correct policy for managed updates?