I have been trying to figure out what permissions I need to set to let a developer do eb deploy, eb logs and eb ssh on a particular EB environment. I want to set it so that all the developers can do deploy and debug on our develop environment, but that only one can do deploy and debug master.
I also want it locked down so that they can't affect any other EC2-instances, RDS-instances, S3-buckets, Load Balancers and so on.
Has anybody managed to put together an IAM policy (or two...) for this?
Elastic Beanstalk composes many AWS services. You need to give all specific permission to AWS resources those are used by Elastic Beanstalk to read and update the environment, including:
This is all required policy to allow IAM user access, update, deploy and ssh to Elastic Beanstalk:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ElasticBeanstalkReadOnlyAccess",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"sqs:Get*",
"sqs:List*"
],
"Resource": "*"
},
{
"Sid": "ElasticBeanstalkDeployAccess",
"Effect": "Allow",
"Action": [
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:UpdateAutoScalingGroup",
"cloudformation:UpdateStack",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticbeanstalk:CreateStorageLocation",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:ValidateConfigurationSettings",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"*"
]
}
]
}
The above policy is to allow IAM users to read-only and deploy-only access to any Elastic Beanstalk and related services.
If you want to restrict access the users to a particular AWS resources, you need to specify the ARN and conditions by your self. For example:
arn:aws:s3:::elasticbeanstalk-us-east-1-123456789012/* (Elastic Beanstalk's S3 Bucket).elasticbeanstalk:environment-name).
Here is how you can use it. This is no were perfect, but you have some ideas of how you can use it. There is obviously more to narrow this down, but this is enough for me at the moment.
The first section they can't really do any harm with so I let them have full access to them for now. (I should do S3 more granular)
I needed elasticloadbalancing:DeregisterInstancesFromLoadBalancer so I added so this team only can use that in the Europe region. That is fine for now as they are only there.
The third and fourth section is for my two Elastic Beanstalk apps they should have access to.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"elasticbeanstalk:CreateStorageLocation",
"sqs:Get*",
"sqs:List*",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
],
"Resource": [
"arn:aws:elasticloadbalancing:eu-west-1:12345678910:loadbalancer/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My App"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My Second App"
]
}
}
}
]
}
At the risk of giving way more permission than you'd like, this AWS managed policy could be useful:
arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk
