Question

在ElasticBeanstalk上的“日志”部分下，当我访问此选项卡时，我立即收到错误An error occurred retrieving logs: Access Denied。

如果我点击请求最新的100行日志，我会在EB事件上收到另一个错误。

Failed retrieveEnvironmentInfo activity. Reason: Access Denied

在事件日志中，我收到两个错误：

ERROR   Failed retrieveEnvironmentInfo activity. Reason: Access Denied
INFO    [Instance: i-0aa53b9c5f88fe09b] Successfully finished tailing 36 log(s)
INFO    Pulled logs for environment instances.
ERROR   Service:Amazon S3, Message:Access Denied

我的角色政策允许我进行这些操作：

 "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:*",
                "cloudformation:*",
                "cloudwatch:*",
                "dynamodb:*",
                "ec2:Describe*",
                "ec2:Get*",
                "ec2messages:Get*",
                "elasticbeanstalk:*",
                "iam:*",
                "kms:ListAliases",
                "lambda:Get*",
                "lambda:List*",
                "logs:Describe*",
                "logs:FilterLogEvents",
                "logs:Get*",
                "logs:List*",
                "logs:ListTagsLogGroup",
                "logs:TestMetricFilter",
                "sdb:Get*",
                "s3:Get*",
                "s3:List*",
                "ses:*",
                "sns:*",
                "sqs:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "cloudformation:DeleteStack",
                "dynamodb:DeleteTable",
                "elasticbeanstalk:DeleteEnvironment*",
                "elasticbeanstalk:DeleteApplication",
                "iam:Create*",
                "iam:Delete*",
                "iam:Remove*",
                "s3:DeleteBucket",
                "sqs:DeleteQueue"
            ],
            "Resource": "*"
        }

我也有我的EB政策。

        "autoscaling:Describe*",
        "autoscaling:SuspendProcesses",
        "autoscaling:ResumeProcesses",
        "cloudwatch:*",
        "cloudformation:List*",
        "cloudformation:Describe*",
        "cloudformation:Get*",
        "elasticbeanstalk:*",
        "elasticfilesystem:Describe*",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
        "health:Describe*",
        "health:Get*",
        "health:List*",
        "lambda:UpdateFunctionCode",
        "lambda:CreateAlias",
        "logs:*",
        "s3:Get*",
        "s3:List*",
        "s3:Head*",
        "s3:Put*",
        "s3:DeleteObject"
    ],
    "Effect": "Allow",
    "Resource": "*"

因此，当您使用ELB并尝试查看日志时，它是否使用用户角色策略或服务策略来检查权限？这看起来很奇怪。

Answer 1

我遇到了类似的问题，并且能够通过在我的政策中添加以下内容来解决此问题。

{
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": "arn:aws:s3:::elasticbeanstalk-*"
    }

不太确定在Elasticbeanstalk s3存储桶中是否已完成所有操作，但这已覆盖了它。这是我的完整政策，允许我提取beantalk日志。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:List*",
                "elasticbeanstalk:Describe*",
                "elasticbeanstalk:Describe*",
                "elasticbeanstalk:Request*",
                "elasticbeanstalk:Retrieve*",
                "ec2:Describe*",
                "ec2:Get*",
                "cloudformation:Describe*",
                "cloudformation:List*",
                "cloudformation:Get*",
                "autoscaling:Describe*",
                "elasticloadbalancing:Describe*",
                "s3:Head*",
                "s3:List*",
                "s3:Get*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": "arn:aws:s3:::elasticbeanstalk-*"
        }
    ]
}

AWS政策不尊重

1 个答案: