Skip to content

Instantly share code, notes, and snippets.

@hasantayyar
Forked from magnetikonline/README.md
Created June 1, 2018 16:17
Show Gist options
  • Save hasantayyar/321a31135a2d930e54f94d982a7ac7c7 to your computer and use it in GitHub Desktop.
Save hasantayyar/321a31135a2d930e54f94d982a7ac7c7 to your computer and use it in GitHub Desktop.
AWS Elastic Beanstalk deploy user restricted IAM policy.

AWS Elastic Beanstalk deploy user restricted IAM policy

An IAM user policy document to give minimal rights for deploying an Elastic Beanstalk application.

Where:

  • REGION: AWS region.
  • ACCOUNT_ID: AWS account ID.
  • APPLICATION_NAME: Desired target Elastic Beanstalk application name(space).
  • IAM_INSTANCE_PROFILE_ROLE: The instance profile (IAM role) Elastic Beanstalk EC2 instaces will run under.
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"autoscaling:*",
				"cloudformation:*",
				"ec2:*"
			],
			"Effect": "Allow",
			"Resource": [
				"*"
			]
		},
		{
			"Action": [
				"elasticbeanstalk:*"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:elasticbeanstalk:*::solutionstack/*",
				"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:application/APPLICATION_NAME",
				"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:applicationversion/APPLICATION_NAME/*",
				"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:environment/APPLICATION_NAME/*",
				"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:template/APPLICATION_NAME/*"
			]
		},
		{
			"Action": [
				"s3:GetObject"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::elasticbeanstalk-*/*"
			]
		},
		{
			"Action": [
				"s3:CreateBucket",
				"s3:DeleteObject",
				"s3:GetBucketPolicy",
				"s3:GetObjectAcl",
				"s3:ListBucket",
				"s3:PutBucketPolicy",
				"s3:PutObject",
				"s3:PutObjectAcl"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID",
				"arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID/*"
			]
		},
		{
			"Action": [
				"iam:PassRole"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:iam::ACCOUNT_ID:role/IAM_INSTANCE_PROFILE_ROLE"
			]
		}
	]
}

Notes:

  • The addition of the s3:CreateBucket action against the arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID resource is critical for the creation of new Elastic Beanstalk application instances - even if the bucket itself already exists.
  • Policy has been designed to work with single container Docker environments - not multicontainer, which are ECS cluster environments under the hood and requires additional IAM action permissions.

Reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment