问题描述
我正在通过 SSO 登录到一个角色,我正在尝试创建一个新的 Elastic Beanstalk 环境(如果重要,则是最新的 tomcat)并且我收到以下错误,这使我什至无法开始构建环境:
).使用增强型应用程序运行状况监控时需要这两个角色.请注意,这两个角色需要一组完全不同的权限,您应该为每个角色使用不同的角色.您可以在 .
使用 AWS 控制台创建/克隆/修改环境时,您将看到一个用于选择服务角色的选项.如果您以前从未使用过服务角色,您将看到创建新角色"的选项.控制台允许您使用单击按钮创建 beanstalk 所需的服务角色.您可以在创建角色之前查看权限.
第一次创建后,控制台将向您显示一个下拉列表,其中包含您之前创建的角色(通常名为 aws-elasticbeanstalk-service-role),您可以重用此服务角色.>
来自文档:服务角色是 Elastic Beanstalk 在代表您调用其他服务时承担的 IAM 角色.Elastic Beanstalk 在调用 Amazon Elastic Compute Cloud 时使用您在创建 Elastic Beanstalk 环境时指定的服务角色(Amazon EC2)、Elastic Load Balancing 和 Auto Scaling API 来收集有关其 AWS 资源运行状况的信息."
在创建/使用角色时,您需要确保 IAM 用户对您创建的角色具有传递角色权限.如果您没有使用 root 帐户,请确保您拥有 IAM 用户的正确政策.请注意 iam:PassRole 权限允许您的 IAM 用户将角色传递给 beanstalk 服务.
更新
单点登录存在的问题现已解决.如果您仍然看到问题,请在此处或在下面的 AWS 论坛主题中更新.AWS 论坛主题:https://forums.aws.amazon.com/thread.jspa?threadID=171369
I'm logging into a role through SSO and I'm trying to create a new Elastic Beanstalk environment (newest tomcat if it matters) and I am getting the following error which is preventing me from even getting the environment started building:
(Namespace: 'aws:elasticbeanstalk:environment', OptionName: 'ServiceRole'): Invalid service role
This is happening even when I am trying to clone an existing environment. I've tried to auto generate a service role and to manually create one. Both are giving the error. This error does not happen when I am logging into a user with the same permissions.
When you clone an environment using the Elastic Beanstalk console, you have the option to choose a new platform and a service role. Service role is a new concept in beanstalk documented here. Service is not required if you are using basic health monitoring but it is required if you choose to use enhanced health monitoring.
When creating an environment you can choose to pass an IamInstanceProfile (typically named aws-elasticbeanstalk-ec2-role) and a service role (typically named aws-elasticbeanstalk-service-role). These two roles are required when using Enhanced Application Health Monitoring.Please note that these two roles require a completely a different set of permissions and you should use different roles for each of them. You can find the list of permissions required for Service Role and Instance profile documented here.
When creating/cloning/modifying environments using AWS console you will be shown an option to choose a service role. If you have never used a Service role before, you will be presented with an option to "Create a new role". The console allows you to create the Service role required by beanstalk using a single button click. You can view the permissions before creating the role.
After the first create, the console will present you with a dropdown with the role you created previously (typically named aws-elasticbeanstalk-service-role) and you can reuse this service role.
From the documentation: "A service role is the IAM role that Elastic Beanstalk assumes when calling other services on your behalf. Elastic Beanstalk uses the service role that you specify when creating an Elastic Beanstalk environment when it calls Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, and Auto Scaling APIs to gather information about the health of its AWS resources."
When creating/using a role you need to make sure the IAM user has pass role permission for the role you created. In case you are not using the root account make sure you have the correct policies for the IAM user.Note the iam:PassRole permission allows your IAM user to pass the role to beanstalk service.
Update
There was an issue with Single Sign On that has now been resolved. Please update here or in the AWS forum thread below if you are still seeing issues.AWS forum thread: https://forums.aws.amazon.com/thread.jspa?threadID=171369
这篇关于登录到角色时出现 AWS Elastic Beanstalk ServiceRole 错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!