An IAM user policy document to give minimal rights for deploying an Elastic Beanstalk application.
Where:
REGION
: AWS region.ACCOUNT_ID
: AWS account ID.APPLICATION_NAME
: Desired target Elastic Beanstalk application name(space).IAM_INSTANCE_PROFILE_ROLE
: The instance profile (IAM role) Elastic Beanstalk EC2 instaces will run under.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:*",
"cloudformation:*",
"ec2:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"elasticbeanstalk:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:*::solutionstack/*",
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:application/APPLICATION_NAME",
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:applicationversion/APPLICATION_NAME/*",
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:environment/APPLICATION_NAME/*",
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:template/APPLICATION_NAME/*"
]
},
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-*/*"
]
},
{
"Action": [
"s3:CreateBucket",
"s3:DeleteObject",
"s3:GetBucketPolicy",
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:PutBucketPolicy",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID",
"arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID/*"
]
},
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::ACCOUNT_ID:role/IAM_INSTANCE_PROFILE_ROLE"
]
}
]
}
- The addition of the
s3:CreateBucket
action against thearn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID
resource is critical for the creation of new Elastic Beanstalk application instances - even if the bucket itself already exists. - Policy has been designed to work with single container Docker environments - not multicontainer, which are ECS cluster environments under the hood and requires additional IAM action permissions.
I have published a policy that works for me, IAM policy to allow Continuous Integration user to deploy to AWS Elastic Beanstalk. In some regards it is more restrictive (e.g.
autoscaling
), in some less (e.g. not only for a particular application) and it could certainly be tightened more (but life is too short for that :)).I needed more of S3 permissions to make "Rolling with additional batch" updates working (contrary to "All at once that was already OK) so I added
s3:Get*
,s3:List*
, though I guess that is too permissive.