我一直在试图弄清楚我需要设置什么权限才能让开发人员在特定的eb环境中进行eb部署,eb日志和eb ssh。我想设置它,以便所有开发人员都可以在我们的开发环境中进行部署和调试,但只有一个人可以进行部署和调试。
我还希望它被锁定,这样它们就不会影响任何其他ec2 -instance, rds -instance, S3-buckets, Load balancer等等。
有人设法把一个IAM政策(或两个…)为这个?Elastic Beanstalk包含许多AWS服务。您需要授予Elastic Beanstalk用于读取和更新环境的AWS资源的所有特定权限,包括:
- CloudFormation EC2
- 自动缩放组
- 弹性负载均衡
- CloudWatch
- S3
- SNS
- RDS
- SQS
- Elastic Beanstalk
这是允许IAM用户访问、更新、部署和ssh到Elastic Beanstalk所必需的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ElasticBeanstalkReadOnlyAccess",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"sqs:Get*",
"sqs:List*"
],
"Resource": "*"
},
{
"Sid": "ElasticBeanstalkDeployAccess",
"Effect": "Allow",
"Action": [
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:UpdateAutoScalingGroup",
"cloudformation:UpdateStack",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticbeanstalk:CreateStorageLocation",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:ValidateConfigurationSettings",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"*"
]
}
]
}
上述策略允许IAM用户只读和仅部署访问任何Elastic Beanstalk和相关服务。
如果您想限制用户对特定AWS资源的访问,您需要自己指定ARN和条件。例如:
- 将S3资源限制为
arn:aws:s3:::elasticbeanstalk-us-east-1-123456789012/*(Elastic Beanstalk的S3 Bucket)。 - 有条件的EC2资源标签(如:
elasticbeanstalk:environment-name)。 - 您也可以在ARN上指定AWS区域。
您可以这样使用它。这并不是完美的,但是你对如何使用它有一些想法。显然还有更多的东西要缩小范围,但这对我来说已经足够了。
第一部分他们真的不能做任何伤害,所以我现在让他们完全访问它们。(我应该做S3更细粒度)
我需要elasticloadbalancing:DeregisterInstancesFromLoadBalancer,所以我添加了这个团队只能在欧洲地区使用它。现在还好,因为它们就在那里。
第三和第四部分是我的两个Elastic Beanstalk应用程序,他们应该可以访问。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"elasticbeanstalk:CreateStorageLocation",
"sqs:Get*",
"sqs:List*",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
],
"Resource": [
"arn:aws:elasticloadbalancing:eu-west-1:12345678910:loadbalancer/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My App"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My Second App"
]
}
}
}
]
}
尽管可能会给您更多的权限,但这个AWS管理的策略可能是有用的:
arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk