Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
IAM Policy for deploy on Elastic Beanstalk

I am deploying with this IAM using Codeship and Circle CI to Elastic Beanstalk. I had a lot of trouble with this config. I talked to the aws support for about 6 hours until this worked properly, so, I guess it is worth to share.

UPDATE: In the end, I have to use the AWSElasticBeanstalkFullAccess policy. My custom policy keep breaking every week with some new added permission or some EB internal change. Anyway, the IAM I was using is below.

This works for me with CircleCI and EB Cli.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "elasticbeanstalk:CreateApplicationVersion",
                "elasticbeanstalk:DescribeEnvironments",
                "elasticbeanstalk:DeleteApplicationVersion",
                "elasticbeanstalk:UpdateEnvironment",
                "elasticbeanstalk:CreateStorageLocation",
                "elasticbeanstalk:DescribeEvents"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "sns:CreateTopic",
                "sns:GetTopicAttributes",
                "sns:ListSubscriptionsByTopic",
                "sns:Subscribe"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:sns:*:your-account-id:*"
        },
        {
            "Action": [
                "autoscaling:SuspendProcesses",
                "autoscaling:DescribeScalingActivities",
                "autoscaling:ResumeProcesses",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:PutNotificationConfiguration"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cloudformation:GetTemplate",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStacks",
                "cloudformation:UpdateStack",
                "cloudformation:CancelUpdateStack"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:cloudformation:*:your-account-id:*"
        },
        {
            "Action": [
                "ec2:DescribeImages",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeVpcs",
                "ec2:DescribeAddresses",
                "ec2:DescribeInstances",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupIngress"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketPolicy",
                "s3:CreateBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::elasticbeanstalk*",
                "arn:aws:s3:::elasticbeanstalk-*-your-account-id",
                "arn:aws:s3:::elasticbeanstalk-*-your-account-id/*"
            ]
        }
    ]
}

You have to replace your-account-id with your aws account id.

For codeship you have to add permissions to a bucket, because they first upload the build to s3 and then deploy it. Something like that:

{
    "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucket"
    ],
    "Effect": "Allow",
    "Resource": [
        "arn:aws:s3:::deploy-bucket",
        "arn:aws:s3:::deploy-bucket/*",
        "arn:aws:s3:::deploy-bucket-2",
        "arn:aws:s3:::deploy-bucket-2/*"
    ]
},

Note: I added this IAM to the group of the users that can deploy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.