ElasticBeanstalk permissions needed to deploy new version via AWS CLI

I have an IAM policy setup that I thought provided the right permissions to deploy a new version to an Elastic Beanstalk application. I'm still getting InsufficientPrivilegesException, specifically:

aws elasticbeanstalk update-environment --environment-name LearnTfsBff --version-label LearnTfsBff-30

An error occurred (InsufficientPrivilegesException) when calling the UpdateEnvironment operation: Access Denied

This is the policy set for the deployment user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:*",
                "cloudformation:GetTemplate",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResources",
                "autoscaling:*",
                "cloudfront:CreateInvalidation",
                "ec2:describeVpcs",
                "ec2:DescribeImages",
                "elasticbeanstalk:CreateApplicationVersion",
                "elasticbeanstalk:DescribeApplications",
                "elasticbeanstalk:DescribeApplicationVersions",
                "elasticbeanstalk:DescribeEnvironments",
                "elasticbeanstalk:UpdateEnvironment",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "s3:ListAllMyBuckets",
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::learn-tfs-builds"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": "arn:aws:s3:::learn-tfs-*"
        }
    ]
}

I tried adding "elasticbeanstalk:*" as an allowed action and that did not resolve the privileges issue. I added "*" as allowed and that does resolve it, but is not a allowable solution.

How can I debug what specific permissions are needed within AWS?

Thanks,

Sam


Solution 1:

From this guide it looks like you might need S3 access for the elastic beanstalk bucket as well, IE:

{
"Action": [
 "s3:PutObject",
 "s3:PutObjectAcl",
 "s3:GetObject",
 "s3:GetObjectAcl",
 "s3:ListBucket",
 "s3:DeleteObject",
 "s3:GetBucketPolicy",
 "s3:CreateBucket"
],
"Effect": "Allow",
"Resource": [
 "arn:aws:s3:::elasticbeanstalk-[region]-[accountid]",
 "arn:aws:s3:::elasticbeanstalk-[region]-[accountid]/*"
]
}