[Fail Platform Update] - Automatic platform updates lack permissions and fail : ec2:CreateTags permission missing

[pmbi10231]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave "+1" or "me too" comments. They generate extra noise for issue followers and do not help prioritize the request.

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?

Hi,
The issue we are facing happens during automatic platform updates with the 2 default Beanstalk policies :

• AWSElasticBeanstalkEnhancedHealth
• AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy

Automatic platform updates are not possible with them.

errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::XXXXXXX:assumed-role/XXXXXXXXXX/elasticbeanstalk is not authorized to perform: ec2:CreateTags on resource: arn:aws:ec2:XXXXX:XXXXXXX:launch-template/*..."

Note that we followed the official documenation and tried with the default service role : aws-elasticbeanstalk-service-role , which didn't work either.

We are waiting for the AWS Beanstalk Service Team to consider our issue and eventually update the IAM permissions appropriately.

Thank you for your cooperation.

Are you currently working around this issue?

We had to attach a custom Policy : "ec2-beanstalk-remediationtags-policy" to the service role used by Beanstalk :

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": "ec2:CreateTags",
     "Resource": "arn:aws:ec2:XXXXXX:XXXXXXXXXXXXX:*/*"
   }
 ]
}

Considering the operational overhead it creates, this is not acceptable for us.