ElasticBeanstalk permissions needed to deploy new version via AWS CLI

amazon-web-services elastic-beanstalk amazon-iam

I have an IAM policy setup that I thought provided the right permissions to deploy a new version to an Elastic Beanstalk application. I'm still getting InsufficientPrivilegesException, specifically:

aws elasticbeanstalk update-environment --environment-name LearnTfsBff --version-label LearnTfsBff-30

An error occurred (InsufficientPrivilegesException) when calling the UpdateEnvironment operation: Access Denied

This is the policy set for the deployment user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:*",
                "cloudformation:GetTemplate",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResources",
                "autoscaling:*",
                "cloudfront:CreateInvalidation",
                "ec2:describeVpcs",
                "ec2:DescribeImages",
                "elasticbeanstalk:CreateApplicationVersion",
                "elasticbeanstalk:DescribeApplications",
                "elasticbeanstalk:DescribeApplicationVersions",
                "elasticbeanstalk:DescribeEnvironments",
                "elasticbeanstalk:UpdateEnvironment",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "s3:ListAllMyBuckets",
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::learn-tfs-builds"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": "arn:aws:s3:::learn-tfs-*"
        }
    ]
}

I tried adding "elasticbeanstalk:*" as an allowed action and that did not resolve the privileges issue. I added "*" as allowed and that does resolve it, but is not a allowable solution.

How can I debug what specific permissions are needed within AWS?

Thanks,

Sam


Solution 1:

From this guide it looks like you might need S3 access for the elastic beanstalk bucket as well, IE:

{
"Action": [
 "s3:PutObject",
 "s3:PutObjectAcl",
 "s3:GetObject",
 "s3:GetObjectAcl",
 "s3:ListBucket",
 "s3:DeleteObject",
 "s3:GetBucketPolicy",
 "s3:CreateBucket"
],
"Effect": "Allow",
"Resource": [
 "arn:aws:s3:::elasticbeanstalk-[region]-[accountid]",
 "arn:aws:s3:::elasticbeanstalk-[region]-[accountid]/*"
]
}

Related

Alpine linux on AWS / EC2 : how to login with my public key?
How to Fix Directory with all Question Marks as Permissions
Do system calls in x86_64 linux still generate interrupts?
Jenkins Pipeline File - Passing Jenkinsfile variables into further commands
Can't click on start button and programs in taskbar
How to Migrate an oversized Encrypted server on ESXi
primary.sqlite.bz2 not found on private repo
Up-to-date distros supporting 32-bit i586/non-PAE, specifically for ALIX boards (AMD Geode) [closed]
Suspend a project in Google Cloud
Why do user and system cpu in cpuacct.stat not add up to cpuacct.usage?
Which ciphers satisfies the "Authenticated encryption (AEAD) cipher suites" SSL Labs test requirement?
How to defrag volume using mountpoint?