An IAM user policy document to give minimal rights for deploying an Elastic Beanstalk application.
Where:
REGION
: AWS region.ACCOUNT_ID
: AWS account ID.APPLICATION_NAME
: Desired target Elastic Beanstalk application name(space).IAM_INSTANCE_PROFILE_ROLE
: The instance profile (IAM role) Elastic Beanstalk EC2 instaces will run under.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:*",
"cloudformation:*",
"ec2:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"elasticbeanstalk:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:*::solutionstack/*",
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:application/APPLICATION_NAME",
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:applicationversion/APPLICATION_NAME/*",
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:environment/APPLICATION_NAME/*",
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:template/APPLICATION_NAME/*"
]
},
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-*/*"
]
},
{
"Action": [
"s3:CreateBucket",
"s3:DeleteObject",
"s3:GetBucketPolicy",
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:PutBucketPolicy",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID",
"arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID/*"
]
},
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::ACCOUNT_ID:role/IAM_INSTANCE_PROFILE_ROLE"
]
}
]
}
- The addition of the
s3:CreateBucket
action against thearn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID
resource is critical for the creation of new Elastic Beanstalk application instances - even if the bucket itself already exists. - Policy has been designed to work with single container Docker environments - not multicontainer, which are ECS cluster environments under the hood and requires additional IAM action permissions.
@magnetikonline @cnluzhang - I'm wondering if the
autoscaling
,cloudformation
, andec2
permissions could be restricted via the use of tags?http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html#iam-policy-example-ec2-tag-permissions
As it stands, Elastic Beanstalk already tags resources created as part of an environment, so you could use those, or maybe even adding some custom tags yourself would make this easier.
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.tagging.html