An IAM user policy document to give minimal rights for deploying an Elastic Beanstalk application.
Where:
REGION: AWS region.ACCOUNT_ID: AWS account ID.APPLICATION_NAME: Desired target Elastic Beanstalk application name(space).IAM_INSTANCE_PROFILE_ROLE: The instance profile (IAM role) Elastic Beanstalk EC2 instaces will run under.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:*",
"cloudformation:*",
"ec2:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"elasticbeanstalk:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:*::solutionstack/*",
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:application/APPLICATION_NAME",
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:applicationversion/APPLICATION_NAME/*",
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:environment/APPLICATION_NAME/*",
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:template/APPLICATION_NAME/*"
]
},
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-*/*"
]
},
{
"Action": [
"s3:CreateBucket",
"s3:DeleteObject",
"s3:GetBucketPolicy",
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:PutBucketPolicy",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID",
"arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID/*"
]
},
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::ACCOUNT_ID:role/IAM_INSTANCE_PROFILE_ROLE"
]
}
]
}- The addition of the
s3:CreateBucketaction against thearn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_IDresource is critical for the creation of new Elastic Beanstalk application instances - even if the bucket itself already exists. - Policy has been designed to work with single container Docker environments - not multicontainer, which are ECS cluster environments under the hood and requires additional IAM action permissions.