I tested my continuous deployment setup, trying to get the minimum set of IAM permissions that would allow my CI group II to deploy in my "staging" environment with an elastic beanstalk.
In my last test, my deployment was stuck. Last event in the console:
Updating environment staging configuration settings.
Fortunately, deployment will be turned off after 30 minutes, so the environment can be deployed again.
This seems to be a permissions issue, because if I provide s3:* for all resources, the deployment works. It seems that when calling UpdateEnvironment, Elastic Beanstalk does something on S3, but I can't figure that out.
I tried the following policy to give EB full access to my resource:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT/resources/_runtime/_embedded_extensions/APP", "arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT/resources/_runtime/_embedded_extensions/APP/*", "arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT/resources/environments/ENV_ID", "arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT/resources/environments/ENV_ID/*" ] } ] }
Where REGION , ACCOUNT , APP and ENV_ID are my AWS area, account number, application name, and environment identifier, respectively.
Does anyone have a key that the S3 action and EB resource are trying to access?