amazon web services - Elastic Beanstalk: allow user to deploy -
i can't figure out how let other people in company deploy (test) server aws elastic beanstalk.
this page suggests global permission control on elb: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/awshowto.iam.managed-policies.html
the rhys godfrey blog post titled using iam secure elastic beanstalk applications on aws has guidance.
we have elastic beanstalk application, , group of users. group of users should able monitor , deploy elastic beanstalk environment, restarting or terminating application instance. should not able change application or environments configuration, or delete environment. user should not able affect other applications or aws services, acceptable them see details on other areas. assume user using aws console.
i have reposted iam policies here reference.
the nice thing approach considers application environment referencing ec2 tag on instances eg environment=testing, require in use case.
{ "version":"2012-10-17", "statement":[ { "sid":"elasticbeanstalkenvironmentpermissions", "effect":"allow", "action":[ "elasticbeanstalk:describeenvironmentresources", "elasticbeanstalk:describeenvironments", "elasticbeanstalk:describeevents", "elasticbeanstalk:restartappserver", "elasticbeanstalk:retrieveenvironmentinfo", "elasticbeanstalk:swapenvironmentcnames", "elasticbeanstalk:updateenvironment", "elasticbeanstalk:requestenvironmentinfo" ], "resource":[ "arn:aws:elasticbeanstalk:eu-west-1:123xxxxxxxxx:environment/applicationname/*" ] }, { "sid":"elasticbeanstalkglobalpermissions", "effect":"allow", "action":[ "elasticbeanstalk:describeconfigurationoptions", "elasticbeanstalk:describeconfigurationsettings", "elasticbeanstalk:listavailablesolutionstacks", "elasticbeanstalk:validateconfigurationsettings", "elasticbeanstalk:checkdnsavailability", "elasticbeanstalk:createstoragelocation" ], "resource":[ "*" ] }, { "sid":"elasticbeanstalkapplicationversionpermissions", "effect":"allow", "action":[ "elasticbeanstalk:createapplicationversion", "elasticbeanstalk:describeapplicationversions", "elasticbeanstalk:updateapplicationversion" ], "resource":[ "arn:aws:elasticbeanstalk:eu-west-1:123xxxxxxxxx:applicationversion/applicationname/*" ] }, { "sid":"elasticbeanstalkapplicationpermissions", "effect":"allow", "action":[ "elasticbeanstalk:describeapplications", "elasticbeanstalk:updateapplication" ], "resource":[ "arn:aws:elasticbeanstalk:eu-west-1:123xxxxxxxxx:application/applicationname" ] }, { "sid":"autoscaling", "effect":"allow", "action":[ "autoscaling:suspendprocesses", "autoscaling:describe*", "autoscaling:resumeprocesses" ], "resource":"*" }, { "sid":"cloudwatch", "effect":"allow", "action":[ "cloudwatch:describe*", "cloudwatch:getmetricstatistics", "cloudwatch:listmetrics" ], "resource":"*" }, { "sid":"cloudformation", "effect":"allow", "action":[ "cloudformation:gettemplate", "cloudformation:describe*" ], "resource":"*" }, { "sid":"iam", "effect":"allow", "action":[ "iam:listservercertificates", "iam:listinstanceprofiles" ], "resource":"*" }, { "sid":"s3elasticbeanstalkbucket", "action":[ "s3:abortmultipartupload", "s3:getbucketacl", "s3:getbucketcors", "s3:getbucketlocation", "s3:getbucketlogging", "s3:getbucketnotification", "s3:getbucketpolicy", "s3:getbucketrequestpayment", "s3:getbuckettagging", "s3:getbucketversioning", "s3:getbucketwebsite", "s3:getlifecycleconfiguration", "s3:getobject", "s3:getobjectacl", "s3:getobjecttorrent", "s3:getobjectversion", "s3:getobjectversionacl", "s3:getobjectversiontorrent", "s3:putobject", "s3:putobjectacl", "s3:listbucket", "s3:getobject", "s3:deleteobject" ], "effect":"allow", "resource":[ "arn:aws:s3:::elasticbeanstalk-eu-west-1-123xxxxxxxxx", "arn:aws:s3:::elasticbeanstalk-eu-west-1-123xxxxxxxxx/*" ] }, { "sid":"s3global", "effect":"allow", "action":"s3:listallmybuckets", "resource":"arn:aws:s3:::*" }, { "sid":"s3elasticbeanstalkshared", "effect":"allow", "action":"s3:*", "resource":[ "arn:aws:s3:::elasticbeanstalk-env-resources-eu-west-1", "arn:aws:s3:::elasticbeanstalk-env-resources-eu-west-1/*" ] }, { "sid":"ec2global", "effect":"allow", "action":[ "ec2:describe*" ], "resource":[ "*" ] } ] } the second iam policy handles ec2 instances given environment:
{ "version":"2012-10-17", "statement":[ { "sid":"ec2environmentinstances", "effect":"allow", "action":[ "ec2:monitorinstances", "ec2:unmonitorinstances", "ec2:rebootinstances", "ec2:stopinstances" ], "resource":[ "arn:aws:ec2:eu-west-1:123xxxxxxxxx:instance/*" ], "condition":{ "stringequals":{ "ec2:resourcetag/elasticbeanstalk:environment-name":"environmentname" } } } ] }
Comments
Post a Comment