IAM Policy for deploy on Elastic Beanstalk

elasticbeanstalk_deploy_iam_policy.md

I am deploying with this IAM using Codeship and Circle CI to Elastic Beanstalk. I had a lot of trouble with this config. I talked to the aws support for about 6 hours until this worked properly, so, I guess it is worth to share.

UPDATE: In the end, I have to use the AWSElasticBeanstalkFullAccess policy. My custom policy keep breaking every week with some new added permission or some EB internal change. Anyway, the IAM I was using is below.

This works for me with CircleCI and EB Cli.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "elasticbeanstalk:CreateApplicationVersion",
                "elasticbeanstalk:DescribeEnvironments",
                "elasticbeanstalk:DeleteApplicationVersion",
                "elasticbeanstalk:UpdateEnvironment",
                "elasticbeanstalk:CreateStorageLocation",
                "elasticbeanstalk:DescribeEvents"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "sns:CreateTopic",
                "sns:GetTopicAttributes",
                "sns:ListSubscriptionsByTopic",
                "sns:Subscribe"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:sns:*:your-account-id:*"
        },
        {
            "Action": [
                "autoscaling:SuspendProcesses",
                "autoscaling:DescribeScalingActivities",
                "autoscaling:ResumeProcesses",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:PutNotificationConfiguration"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cloudformation:GetTemplate",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStacks",
                "cloudformation:UpdateStack",
                "cloudformation:CancelUpdateStack"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:cloudformation:*:your-account-id:*"
        },
        {
            "Action": [
                "ec2:DescribeImages",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeVpcs",
                "ec2:DescribeAddresses",
                "ec2:DescribeInstances",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupIngress"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketPolicy",
                "s3:CreateBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::elasticbeanstalk*",
                "arn:aws:s3:::elasticbeanstalk-*-your-account-id",
                "arn:aws:s3:::elasticbeanstalk-*-your-account-id/*"
            ]
        }
    ]
}

You have to replace your-account-id with your aws account id.

For codeship you have to add permissions to a bucket, because they first upload the build to s3 and then deploy it. Something like that:

{
    "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucket"
    ],
    "Effect": "Allow",
    "Resource": [
        "arn:aws:s3:::deploy-bucket",
        "arn:aws:s3:::deploy-bucket/*",
        "arn:aws:s3:::deploy-bucket-2",
        "arn:aws:s3:::deploy-bucket-2/*"
    ]
},

Note: I added this IAM to the group of the users that can deploy.

Thanks for sharing. I was beginning to pull my hair out.

Just had this randomly pop up on my last deployment:
Service:AmazonEC2, Message:You do not have permission to perform the 'ec2:DescribeSubnets' action.

So you'll want to add that do your policy as well.

+1 thanks a lot for that info

Great policy, thanks for sharing it.
I got two errors trying to use it, one for lacking permissions to carry out cloudformation:GetTemplate commands, which seemed weird since it's in the policy. After some frustration I worked around it by giving the user read-only permission on cloudformation.
Another error then came from lack of permission to register instances into loadbalancers, which I fixed by adding this to the policy -

"Effect": "Allow",
            "Action": [
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer"
            ],
            "Resource": [
                "*"
            ]

I suggest adding it to the policy.

This is a great list. I also required a few extras. First in elasticloadbalancing (one of which was mentioned previously):

"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer"

And secondly in s3, for an environment with a larger app file size (~50MB):

"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"

Great policy! Finally found it, thank you.

Awesome! Finally found it, thank you!!!