Skip to content

Instantly share code, notes, and snippets.

@magnetikonline

magnetikonline/README.md

Last active June 7, 2023 20:57
Show Gist options
  • Star 65 You must be signed in to star a gist
  • Fork 14 You must be signed in to fork a gist
  • Save magnetikonline/5034bdbb049181a96ac9 to your computer and use it in GitHub Desktop.
Save magnetikonline/5034bdbb049181a96ac9 to your computer and use it in GitHub Desktop.
Download ZIP
AWS Elastic Beanstalk deploy user restricted IAM policy.
Raw
README.md

AWS Elastic Beanstalk deploy user restricted IAM policy

An IAM user policy document to give minimal rights for deploying an Elastic Beanstalk application.

Where:

  • REGION: AWS region.
  • ACCOUNT_ID: AWS account ID.
  • APPLICATION_NAME: Desired target Elastic Beanstalk application name(space).
  • IAM_INSTANCE_PROFILE_ROLE: The instance profile (IAM role) Elastic Beanstalk EC2 instaces will run under.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "autoscaling:*",
        "cloudformation:*",
        "ec2:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    },
    {
      "Action": [
        "elasticbeanstalk:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:*::solutionstack/*",
        "arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:application/APPLICATION_NAME",
        "arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:applicationversion/APPLICATION_NAME/*",
        "arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:environment/APPLICATION_NAME/*",
        "arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:template/APPLICATION_NAME/*"
      ]
    },
    {
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::elasticbeanstalk-*/*"
      ]
    },
    {
      "Action": [
        "s3:CreateBucket",
        "s3:DeleteObject",
        "s3:GetBucketPolicy",
        "s3:GetObjectAcl",
        "s3:ListBucket",
        "s3:PutBucketPolicy",
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID",
        "arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID/*"
      ]
    },
    {
      "Action": [
        "iam:PassRole"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iam::ACCOUNT_ID:role/IAM_INSTANCE_PROFILE_ROLE"
      ]
    }
  ]
}

Notes

  • The addition of the s3:CreateBucket action against the arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID resource is critical for the creation of new Elastic Beanstalk application instances - even if the bucket itself already exists.
  • Policy has been designed to work with single container Docker environments - not multicontainer, which are ECS cluster environments under the hood and requires additional IAM action permissions.
@tommydongaws
Copy link

tommydongaws commented Jun 7, 2023
edited

Had so many iam errors: had to add "elasticloadbalancing:ModifyListener", "elasticloadbalancing:describe*" as well. Replaced the multiple s3 actions with "s3:*"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment