Elastic Beanstalk service role - AWS Elastic Beanstalk

Elastic Beanstalk service role

A service role is the IAM role that Elastic Beanstalk assumes when calling other services on your behalf. For example, Elastic Beanstalk uses a service role when it calls Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, and Amazon EC2 Auto Scaling APIs to gather information. This information might include the health of its AWS resources for enhanced health monitoring. The service role that Elastic Beanstalk uses is the one that you specified when you create the Elastic Beanstalk environment.

The AWSElasticBeanstalkEnhancedHealth managed policy contains all of the permissions that Elastic Beanstalk requires to monitor environment health:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetHealth", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:GetConsoleOutput", "ec2:AssociateAddress", "ec2:DescribeAddresses", "ec2:DescribeSecurityGroups", "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeScalingActivities", "autoscaling:DescribeNotificationConfigurations", "sns:Publish" ], "Resource": [ "*" ] } ] }

This policy also includes Amazon SQS actions to allow Elastic Beanstalk to monitor queue activity for worker environments.

If you create an environment using the Elastic Beanstalk console, Elastic Beanstalk prompts you to create a service role that's named aws-elasticbeanstalk-service-role. Create this role with the default set of permissions and a trust policy that allows Elastic Beanstalk to assume the service role. If you enable managed platform updates, Elastic Beanstalk attaches another policy with permissions that enable that feature.

Similarly, suppose that you create an environment using the eb create command of the Elastic Beanstalk Command Line Interface (EB CLI) and don't specify a service role through the --service-role option. Elastic Beanstalk creates the default service role aws-elasticbeanstalk-service-role. If the default service role already exists, Elastic Beanstalk uses it for the new environment.

Now assume that you create an environment by using the CreateEnvironment action of the Elastic Beanstalk API, and don't specify a service role. Then, Elastic Beanstalk creates a monitoring service-linked role. This is a unique type of service role that is predefined by Elastic Beanstalk to include all the permissions that the service requires to call other AWS services on your behalf. The service-linked role is associated with your account. Elastic Beanstalk creates it once, and then reuses it when creating additional environments. You can also use IAM to create the monitoring service-linked role for your account in advance. When your account has a monitoring service-linked role, you can use it to create an environment in the Elastic Beanstalk console or by using the Elastic Beanstalk API or the EB CLI. For instructions on how to use service-linked roles with Elastic Beanstalk environments, see Using service-linked roles for Elastic Beanstalk.

For more information about service roles, see Managing Elastic Beanstalk service roles.