I have a Github action pipeline that can successfully create an S3 and then upload my war file into there, but when deploying to the beanstalk, always got s3 access denied error. below is my build.yml file:

# This workflow will build a package using Maven and then publish it to GitHub packages when a release is created
# For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#apache-maven-with-a-settings-path

name: Maven Package

on:
  pull_request:
    branches:
      - main
  push:
    branches:
      - develop

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write

    steps:
    - uses: actions/checkout@v2
      name: Set up JDK 8

    - uses: actions/setup-java@v2
      with:
        java-version: '8'
        distribution: 'adopt'
        server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
        settings-path: ${{ github.workspace }} # location for the settings.xml file

    - name: Build with Maven
      run: mvn -B package --file pom.xml

    - name: make a new dir and upload war in there
      run: mkdir staging && cp -r target/* staging

    - uses: actions/upload-artifact@v2
      with:
        name: Package
        path: staging

    - name: list all files
      run: ls && cd target && ls

    - name: Publish to GitHub Packages Apache Maven
      run: mvn deploy -s $GITHUB_WORKSPACE/settings.xml
      env:
        GITHUB_TOKEN: ${{ github.token }}

    - name: Deploy to EB
      uses: einaregilsson/beanstalk-deploy@v18
      with:
       aws_access_key: ${{ secrets.AWS_ACCESS_KEY_ID }}
       aws_secret_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
       application_name: springbootwebapi
       environment_name: Springbootwebapi-env
       version_label: v1.0.10
       region: us-east-2
       deployment_package: target/login-0.0.2-SNAPSHOT.war

below is the some log snippet from GitHub action:

No existing bucket name given, creating/requesting storage location Uploading file to bucket elasticbeanstalk-us-east-2-148565102071 New build successfully uploaded to S3, bucket=elasticbeanstalk-us-east-2-148565102071, key=/springbootwebapi/v1-0-10.zip Created new application version v1.0.10 in Beanstalk. Starting deployment of version v1.0.10 to environment Springbootwebapi-env Deployment started, "wait_for_deployment" was true...

18:17:02 INFO: Environment update is starting. 18:17:06 ERROR: Service:Amazon S3, Message:Access Denied 18:17:06 ERROR: Failed to deploy application. 18:17:07 ERROR: Service:Amazon S3, Message:Access Denied: S3Bucket=elasticbeanstalk-us-east-2-148565102071, S3Key=resources/environments/e-fp5bx3gtdn/_runtime/_versions/springbootwebapi/v1.0.10 18:17:13 ERROR: Deployment failed! Current State: Version: Sample Application, Health: Red, Health Status: Degraded Error: Deployment failed: Error: Deployment failed! Current State: Version: Sample Application, Health: Red, Health Status: Degraded

I don't know why got accessed denied even right after the uploading successfully.

CodePudding user response：

The elastic beanstalk service role should have access to the elasticbeanstalk-us-east-2-148565102071 bucket. You can find the role name in Configuration, Security section of your environment.

Read here for more details.

CodePudding user response：

As per docs, you need to attach the below policies for the AWS user to be able to deploy your project when using the GitHub action you have specified:

1. AWSElasticBeanstalkWebTier
2. AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy

Adding the above will fix the problem, while also ensuring that you have no future issues when using this GitHub action.