Geek Answers Handbook

What are the appropriate S3 permissions to deploy on Elastic Beanstalk from CodeShip

What are the appropriate S3 permissions for deploying Elastic Beanstalk using CodeShip? When deploying a new version of tomcat, I get the following errors:

Service: Amazon S3, Message: You do not have permission to execute Action 's3: ListBucket'. Ensure that your S3 policies and your ACLs allow you to complete these steps.

Service: Amazon S3, Message: you do not have permission to execute the 's3: GetObject' or the 's3: ListBucket' action. Verify that your S3 policies and ACLs allow you to complete these steps.

If I give the CodeShip user full access to S3, everything will work, but it’s not perfect. Current S3 permissions for my CodeShip user:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl", "s3:ListBucket", "s3:DeleteObject", "s3:GetBucketPolicy" ], "Resource": [ "arn:aws:s3:::codeshipbucket/*" ] } ] }

My S3 bucket, which I gave CodeShip, is a subfolder under codehipbucket, if that matters.

What are the relevant permissions?

+5
source share
2 answers

In our internal test, we were able to install only the following S3 permissions on ElasticBeanstalk

 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::YOUR_S3_BUCKET_NAME/*" ] } ] }

And this is what we recommend in our documentation at https://codeship.com/documentation/continuous-deployment/deployment-to-elastic-beanstalk/#s3

However, one of our great users has published a very detailed deployment guide for Elastic Beanstalk, available at http://nudaygames.squarespace.com/blog/2014/5/26/deploying-to-elastic-beanstalk-from -your-continuous-integration-system and recommends a wider set of S3 permissions.

Disclaimer: I work at Codeship, but you probably already figured it out from my answer.

+2
source

These are the S3 permissions that we had to give the IAM user using Codeship:

  { "Action": [ "s3:CreateBucket", "s3:GetObject" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:ListBucket", "s3:GetObjectAcl", "s3:GetBucketPolicy", "s3:DeleteObject", "s3:PutObject", "s3:PutObjectAcl" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::elasticbeanstalk-[region]-[account-id]", "arn:aws:s3:::elasticbeanstalk-[region]-[account-id]/*" ] }

We eb deploy --debug and added permissions one by one.

+2
source

More articles:


All Articles