I am creating a new Elastic Beanstalk environment using command line with the eb create command in a region I haven't targeted before (us-east-2). As a result, the Elastic Beanstalk process created a new S3 bucket. However, the process failed with the following error: "Service:Amazon S3, Message:The bucket does not allow ACLs".
2023-04-18 21:44:58 INFO createEnvironment is starting.
2023-04-18 21:44:59 INFO Using elasticbeanstalk-us-east-2-275540591990 as Amazon S3 storage bucket for environment data.
2023-04-18 21:45:00 ERROR Service:Amazon S3, Message:The bucket does not allow ACLs
2023-04-18 21:45:00 ERROR Failed to launch environment.
I confirmed in the AWS Console that the S3 bucket listed above indeed has ACLs disabled, which is the new default setting for new S3 buckets in April 2023 (more info: https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html). It seems that one method to make this work again is to enable the ACLs in the AWS Console for this bucket (elasticbeanstalk-us-east-2-275540591990). However, is re-enabling ACLs the recommended way to resolve this for Elastic Beanstalk? Or is the recommended way to keep using Object Ownership (ACLs disabled) since the AWS documentation suggests that?
I tried creating a bucket policy in IAM that gives read/write/list permissions to the bucket, and attached it to the "aws-elasticbeanstalk-service-role." Then I re-attempted to the creation (eb create) again. However, it failed with the exact same error. I notice there is also a "
aws-elasticbeanstalk-ec2-role," but my hunch was that wouldn't resolve the error. Any help is greatly appreciated.
Edit: I confirmed that this started working again when I re-enabled the ACLs for the bucket and re-executed the eb create command. So, currently I am operating under the assumption that Elastic Beanstalk requires the ACLs to be enabled for the bucket where it is storing configuration. If this is the case, it would be a helpful note to add on their documentation.
Edit2: To activate ACLs on the bucket in the AWS Console, navigate to S3, then click on the bucket shown in the warning (i.e. "elasticbeanstalk-us-east-2-275540591990" in this example). Then, click the "Permissions" tab, and scroll to the "Object Ownership" section. It will show "Bucket owner enforced...ACLs are disabled.". Click the "Edit" button on the right, activate "ACLs enabled", and then click the checkbox to "I acknowledge that ACLs will be restored" and finally "Save changes". Afterwards, running the eb create command should be successful.
Solution
Steps:
Context: The solution is to add a bucket ACL to your elasticbeanstalk S3 bucket. The steps for the solution are below. This has to be done with the accounts elasticbeanstalk S3 bucket. For example, change the ACL's on elasticbeanstalk-{region}-{accountNumber} and NOT necessarily the bucket where you deploy. Specifically, I was using a Bitbucket pipeline to deploy my elastic beanstalk application to my own S3 bucket. The ACL's on the bucket where you have the application does not matter. You just have to enable ACL's on the EB bucket and it should work. Also, I'm not sure if it was a fluke, but I had to change the settings twice, so I would double check that the S3 bucket really does have ACL's enabled if it still errors out.