An IAM user policy document to give minimal rights for deploying an Elastic Beanstalk application.
Where:
REGION
: AWS region.ACCOUNT_ID
: AWS account ID.APPLICATION_NAME
: Desired target Elastic Beanstalk application name(space).IAM_INSTANCE_PROFILE_ROLE
: The instance profile (IAM role) Elastic Beanstalk EC2 instaces will run under.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:*",
"cloudformation:*",
"ec2:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"elasticbeanstalk:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:*::solutionstack/*",
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:application/APPLICATION_NAME",
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:applicationversion/APPLICATION_NAME/*",
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:environment/APPLICATION_NAME/*",
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:template/APPLICATION_NAME/*"
]
},
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-*/*"
]
},
{
"Action": [
"s3:CreateBucket",
"s3:DeleteObject",
"s3:GetBucketPolicy",
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:PutBucketPolicy",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID",
"arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID/*"
]
},
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::ACCOUNT_ID:role/IAM_INSTANCE_PROFILE_ROLE"
]
}
]
}
- The addition of the
s3:CreateBucket
action against thearn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID
resource is critical for the creation of new Elastic Beanstalk application instances - even if the bucket itself already exists. - Policy has been designed to work with single container Docker environments - not multicontainer, which are ECS cluster environments under the hood and requires additional IAM action permissions.
Here's the policy I've came up with after not being able to work with the posted policy. I'm sure that this could be tweaked more in order to make it more precise and etc.
The specific policy below will allow a user to interact with a single EB application. Do note that EB requires complete access for some AWS services like EC2, S3, Cloudformation and etc.
As said on Amazon's docs -
The Policy -
Resources used:
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.managed-policies.html
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles-user.html