1

I've created a "Programmatic access" user with full read and list permissions on Elastic Beanstalk, provided by a Policy I've created specifically. This means that when I go to the Policy Summary page I see: - Service: Elastic Beanstalk - Access level: Full: List, Read - Resource: All resources - Request condition: None

The describe-environments command works fine: aws elasticbeanstalk describe-environments.

However, the describe-configuration-settings fails. Here's how I'm running it: aws elasticbeanstalk describe-configuration-settings --application-name my-app-name --environment-name my-app-name-uat.

The same error happened when using the Java SDK, but the commands above, as expected, have a similar behaviour.

Just as an additional note, the command aws sts get-caller-identity returns the correct user, so I'm positive I'm using the credentials I expect.

Does anyone know if I'm missing any other permission or is are ther any tips on how to proceed with my investigation? I wanted to restrict the permissions for that user as much as possible.

Thanks in advance.

RA.
  • 11
  • 2
  • Pretty sure the CloudTrail(?) API access logs will show you what action was being tried, and from there you can figure out what permission needs to be granted. – womble Apr 17 '19 at 08:15
  • @womble: That's a very good tip. It turns out it requires a `GetBucketLocation` and a `CreateBucket` events for which the user didn't have permissions. If you want to reply to the question I'll mark it as the accepted answer. Thanks. – RA. Apr 17 '19 at 08:54
  • The bottom line is: I needed read/list permissions on S3 and `DescribeSubnets` on EC2. – RA. Apr 17 '19 at 10:40

2 Answers2

2

You might need permissions to S3 buckets.

        {
            "Action": [
                "s3:*"
            ],
            "Resource": "arn:aws:s3:::elasticbeanstalk-*",
            "Effect": "Allow"
        }
hirose y
  • 21
  • 1
2

Whilst I don't know exactly what permissions are required for this specific operation, there's CloudTrail (or some similarly named) logs available for all API operations done in an account. Going over those will tell you exactly what calls are being made, and from there you can determine what additional permissions you need to grant in order to have your operation work.

This process works so well, for all AWS services, that I've given up trying to divine permissions from the documentation; these days I usually just create a new user/keypair with no perms, then progressively add permissions as things fail.

womble
  • 96,255
  • 29
  • 175
  • 230