Geek Answers Handbook

IAM Developer Permissions for Beanstalk

I'm trying to figure out what permissions I need to configure so that a developer can deploy eb, eb logs and eb ssh in a specific EB environment. I want to configure it so that all developers can deploy and debug our development environment, but only one can deploy and debug the wizard.

I also want it to be locked so that they cannot affect other EC2 instances, RDS instances, S3 buckets, Load Balancers, etc.

For this, did someone manage to put together an IAM policy (or two ...)?

+7
amazon-iam elastic-beanstalk amazon-elastic-beanstalk
source share
2 answers

Elastic bobbins represent many AWS services. You must provide all the specific permissions on the AWS resources that Elastic Beanstalk uses to read and update the environment, including:

  • Cloudformation
  • EC2
  • Auto Scale Group
  • Elastic load balancing
  • Cloudwatch
  • S3
  • SNS
  • Rds
  • SQS
  • Elastic bean stock

This is all a necessary policy that allows IAM users to access, upgrade, deploy and ssh to Elastic Beanstalk:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ElasticBeanstalkReadOnlyAccess", "Effect": "Allow", "Action": [ "elasticbeanstalk:Check*", "elasticbeanstalk:Describe*", "elasticbeanstalk:List*", "elasticbeanstalk:RequestEnvironmentInfo", "elasticbeanstalk:RetrieveEnvironmentInfo", "ec2:Describe*", "elasticloadbalancing:Describe*", "autoscaling:Describe*", "cloudwatch:Describe*", "cloudwatch:List*", "cloudwatch:Get*", "s3:Get*", "s3:List*", "sns:Get*", "sns:List*", "cloudformation:Describe*", "cloudformation:Get*", "cloudformation:List*", "cloudformation:Validate*", "cloudformation:Estimate*", "rds:Describe*", "sqs:Get*", "sqs:List*" ], "Resource": "*" }, { "Sid": "ElasticBeanstalkDeployAccess", "Effect": "Allow", "Action": [ "autoscaling:SuspendProcesses", "autoscaling:ResumeProcesses", "autoscaling:UpdateAutoScalingGroup", "cloudformation:UpdateStack", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticbeanstalk:CreateStorageLocation", "elasticbeanstalk:CreateApplicationVersion", "elasticbeanstalk:CreateConfigurationTemplate", "elasticbeanstalk:UpdateApplicationVersion", "elasticbeanstalk:UpdateConfigurationTemplate", "elasticbeanstalk:UpdateEnvironment", "elasticbeanstalk:ValidateConfigurationSettings", "s3:PutObject", "s3:DeleteObject", "s3:PutObjectAcl" ], "Resource": [ "*" ] } ] }

The above policy is to allow IAM users read-only and deployment-only access to any resilient beanstalk and related services.

If you want to restrict user access to specific AWS resources, you need to specify ARN and conditions yourself. For example:

  • Limit S3 resources to something like arn:aws:s3:::elasticbeanstalk-us-east-1-123456789012/* (S3 elastic bucket).
  • EC2 with a resource tag as conditional (for example: elasticbeanstalk:environment-name ).
  • You can also specify an AWS scope in ARN.
+7
source share

Here is how you can use it. It was not perfect, but you have ideas on how you can use it. Obviously, there is more to narrow it down, but that's enough for me at the moment.

In the first section, they cannot harm, so I allow them to have full access to them at the moment. (I have to make S3 more granular)

I needed an elastic balance: DeregisterInstancesFromLoadBalancer, so I added that this command can only use this in the European region. This is normal now, since they are only there.

The third and fourth sections are for my two Elastic Beanstalk applications that they must have access to.

 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:Describe*", "elasticloadbalancing:Describe*", "autoscaling:Describe*", "cloudwatch:Describe*", "cloudwatch:List*", "cloudwatch:Get*", "s3:Get*", "s3:List*", "sns:Get*", "sns:List*", "cloudformation:Describe*", "cloudformation:Get*", "cloudformation:List*", "cloudformation:Validate*", "cloudformation:Estimate*", "rds:Describe*", "elasticbeanstalk:CreateStorageLocation", "sqs:Get*", "sqs:List*", "autoscaling:SuspendProcesses", "autoscaling:ResumeProcesses", "autoscaling:UpdateAutoScalingGroup", "autoscaling:DescribeAutoScalingGroups", "cloudformation:UpdateStack", "cloudformation:DescribeStacks", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "s3:PutObject", "s3:DeleteObject", "s3:PutObjectAcl" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer" ], "Resource": [ "arn:aws:elasticloadbalancing:eu-west-1:12345678910:loadbalancer/*" ] }, { "Effect": "Allow", "Action": [ "elasticbeanstalk:Check*", "elasticbeanstalk:Describe*", "elasticbeanstalk:List*", "elasticbeanstalk:RequestEnvironmentInfo", "elasticbeanstalk:RetrieveEnvironmentInfo", "elasticbeanstalk:CreateApplicationVersion", "elasticbeanstalk:CreateConfigurationTemplate", "elasticbeanstalk:UpdateApplicationVersion", "elasticbeanstalk:UpdateConfigurationTemplate", "elasticbeanstalk:UpdateEnvironment", "elasticbeanstalk:DescribeEnvironmentResources", "elasticbeanstalk:ValidateConfigurationSettings" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": [ "arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My App" ] } } }, { "Effect": "Allow", "Action": [ "elasticbeanstalk:Check*", "elasticbeanstalk:Describe*", "elasticbeanstalk:List*", "elasticbeanstalk:RequestEnvironmentInfo", "elasticbeanstalk:RetrieveEnvironmentInfo", "elasticbeanstalk:CreateApplicationVersion", "elasticbeanstalk:CreateConfigurationTemplate", "elasticbeanstalk:UpdateApplicationVersion", "elasticbeanstalk:UpdateConfigurationTemplate", "elasticbeanstalk:UpdateEnvironment", "elasticbeanstalk:DescribeEnvironmentResources", "elasticbeanstalk:ValidateConfigurationSettings" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": [ "arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My Second App" ] } } } ] }
0
source share

More articles:


All Articles