Elastic Beanstalk IAM开发人员权限

时间:2015-10-09 13:00:04

标签: elastic-beanstalk amazon-iam amazon-elastic-beanstalk

我一直在努力弄清楚我需要设置哪些权限才能让开发人员在特定的EB环境中进行eb部署,eb日志和eb ssh。我想设置它以便所有开发人员都可以在我们的开发环境中进行部署和调试,但只有一个可以部署和调试master。

我也希望它被锁定,以便它们不会影响任何其他EC2实例,RDS实例,S3-buckets,Load Balancers等。

是否有人设法为此制定了IAM政策(或两个......)?

2 个答案:

答案 0 :(得分:12)

Elastic Beanstalk构成了许多AWS服务。您需要授予Elastic Beanstalk用于读取和更新环境的AWS资源的所有特定权限,包括:

  • CloudFormation
  • EC2
  • Auto Scaling Group
  • Elastic Load Balancer
  • CloudWatch的
  • S3
  • SNS
  • RDS
  • SQS
  • Elastic Beanstalk

这是允许IAM用户访问,更新,部署和ssh到Elastic Beanstalk的所有必需策略:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ElasticBeanstalkReadOnlyAccess",
      "Effect": "Allow",
      "Action": [
        "elasticbeanstalk:Check*",
        "elasticbeanstalk:Describe*",
        "elasticbeanstalk:List*",
        "elasticbeanstalk:RequestEnvironmentInfo",
        "elasticbeanstalk:RetrieveEnvironmentInfo",
        "ec2:Describe*",
        "elasticloadbalancing:Describe*",
        "autoscaling:Describe*",
        "cloudwatch:Describe*",
        "cloudwatch:List*",
        "cloudwatch:Get*",
        "s3:Get*",
        "s3:List*",
        "sns:Get*",
        "sns:List*",
        "cloudformation:Describe*",
        "cloudformation:Get*",
        "cloudformation:List*",
        "cloudformation:Validate*",
        "cloudformation:Estimate*",
        "rds:Describe*",
        "sqs:Get*",
        "sqs:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ElasticBeanstalkDeployAccess",
      "Effect": "Allow",
      "Action": [
        "autoscaling:SuspendProcesses",
        "autoscaling:ResumeProcesses",
        "autoscaling:UpdateAutoScalingGroup",
        "cloudformation:UpdateStack",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:RevokeSecurityGroupIngress",
        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
        "elasticbeanstalk:CreateStorageLocation",
        "elasticbeanstalk:CreateApplicationVersion",
        "elasticbeanstalk:CreateConfigurationTemplate",
        "elasticbeanstalk:UpdateApplicationVersion",
        "elasticbeanstalk:UpdateConfigurationTemplate",
        "elasticbeanstalk:UpdateEnvironment",
        "elasticbeanstalk:ValidateConfigurationSettings",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:PutObjectAcl"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

以上策略允许IAM用户只读仅部署访问任何Elastic Beanstalk及相关服务。

如果要限制用户访问特定AWS资源,则需要自行指定ARN和条件。例如:

  • 将S3资源限制为arn:aws:s3:::elasticbeanstalk-us-east-1-123456789012/*(Elastic Beanstalk' S3 Bucket)。
  • EC2,资源标记为条件(例如:elasticbeanstalk:environment-name)。
  • 您还可以在ARN上指定AWS区域。

答案 1 :(得分:0)

以下是如何使用它。这不是完美的,但你对如何使用它有一些想法。显然有更多的东西缩小范围,但这对我来说已经足够了。

第一部分他们确实不会造成任何伤害所以我现在就让他们完全访问它们。 (我应该更细化S3)

我需要elasticloadbalancing:DeregisterInstancesFromLoadBalancer所以我添加了这个团队只能在欧洲地区使用它。现在这很好,因为它们只在那里。

第三和第四部分是我应该访问的两个Elastic Beanstalk应用程序。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "elasticloadbalancing:Describe*",
                "autoscaling:Describe*",
                "cloudwatch:Describe*",
                "cloudwatch:List*",
                "cloudwatch:Get*",
                "s3:Get*",
                "s3:List*",
                "sns:Get*",
                "sns:List*",
                "cloudformation:Describe*",
                "cloudformation:Get*",
                "cloudformation:List*",
                "cloudformation:Validate*",
                "cloudformation:Estimate*",
                "rds:Describe*",
                "elasticbeanstalk:CreateStorageLocation",
                "sqs:Get*",
                "sqs:List*",
                "autoscaling:SuspendProcesses",
                "autoscaling:ResumeProcesses",
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:DescribeAutoScalingGroups",
                "cloudformation:UpdateStack",
                "cloudformation:DescribeStacks",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupIngress",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:eu-west-1:12345678910:loadbalancer/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:Check*",
                "elasticbeanstalk:Describe*",
                "elasticbeanstalk:List*",
                "elasticbeanstalk:RequestEnvironmentInfo",
                "elasticbeanstalk:RetrieveEnvironmentInfo",
                "elasticbeanstalk:CreateApplicationVersion",
                "elasticbeanstalk:CreateConfigurationTemplate",
                "elasticbeanstalk:UpdateApplicationVersion",
                "elasticbeanstalk:UpdateConfigurationTemplate",
                "elasticbeanstalk:UpdateEnvironment",
                "elasticbeanstalk:DescribeEnvironmentResources",
                "elasticbeanstalk:ValidateConfigurationSettings"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "elasticbeanstalk:InApplication": [
                        "arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My App"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:Check*",
                "elasticbeanstalk:Describe*",
                "elasticbeanstalk:List*",
                "elasticbeanstalk:RequestEnvironmentInfo",
                "elasticbeanstalk:RetrieveEnvironmentInfo",
                "elasticbeanstalk:CreateApplicationVersion",
                "elasticbeanstalk:CreateConfigurationTemplate",
                "elasticbeanstalk:UpdateApplicationVersion",
                "elasticbeanstalk:UpdateConfigurationTemplate",
                "elasticbeanstalk:UpdateEnvironment",
                "elasticbeanstalk:DescribeEnvironmentResources",
                "elasticbeanstalk:ValidateConfigurationSettings"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "elasticbeanstalk:InApplication": [
                        "arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My Second App"
                    ]
                }
            }
        }
    ]
}