Created a user, nola2016, to avoid using the main account credentials as recommended.
I don't understand AWS permissions, and their documentation is not helpful. Gave the nola2016 user full admin access because it was easier than tracking down what I needed to solve ERROR: Unable to assign role. Please verify that you have permission to pass this role: aws-elasticbeanstalk-service-role. Otherwise, the instructions linked above work more or less well.
FINALLY got sinatra to connect to postgres, was getting some weird af issues using a helper method in the Sinatra::Base extension class. (those issues are still unresolved, but also reproduce locally) - fixed now
The assets path requires a workaround. The default nginx config redirects /assets to /public/assets. We use Sprockets to dynamically compile and serve assets from the /assets directory, so redirecting like this breaks everything. If we precompiled assets we could theoretically place them in /public/assets.
Solution: We could remove the redirect from the nginx config. The file to change is /opt/elasticbeanstalk/support/conf/webapp_healthd.conf, which is symlinked to from /etc/nginx/conf.d/webapp_healthd.conf. Relying on this StackOverflow answer, I have a container-command to copy our nginx config into the location AWS is using. The config is the same as theirs minus the redirect. Also need to add an nginx restart to have the changes take effect, but the config does stick across deploys. (So it could be changed to only restart on leader_only aka a single instance. I think this is what leader_only is for.)