Elastic Beanstalk IAM 开发人员权限
Elastic Beanstalk IAM developer permissions
我一直在努力弄清楚我需要设置哪些权限才能让开发人员在特定的 EB 环境中执行 eb 部署、eb 日志和 eb ssh。我想设置它,以便所有开发人员都可以在我们的开发环境上进行部署和调试,但是只有一个可以进行部署和调试 master。
我还希望它被锁定,这样它们就不会影响任何其他 EC2 实例、RDS 实例、S3 存储桶、负载均衡器等。
有没有人设法为此制定一个(或两个...)IAM 政策?
Elastic Beanstalk 组合了许多 AWS 服务。您需要授予 Elastic Beanstalk 用于读取和更新环境的 AWS 资源的所有特定权限,包括:
- CloudFormation
- EC2
- Auto Scaling 组
- 弹性负载均衡器
- CloudWatch
- S3
- 社交网络
- RDS
- SQS
- 弹性豆茎
这是允许 IAM 用户访问、更新、部署和 SSH 到 Elastic Beanstalk 的所有必需策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ElasticBeanstalkReadOnlyAccess",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"sqs:Get*",
"sqs:List*"
],
"Resource": "*"
},
{
"Sid": "ElasticBeanstalkDeployAccess",
"Effect": "Allow",
"Action": [
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:UpdateAutoScalingGroup",
"cloudformation:UpdateStack",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticbeanstalk:CreateStorageLocation",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:ValidateConfigurationSettings",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"*"
]
}
]
}
以上策略允许 IAM 用户只读和仅部署访问任何 Elastic Beanstalk 和相关服务。
如果您想限制用户访问特定的AWS资源,您需要自行指定ARN和条件。例如:
- 将 S3 资源限制为
arn:aws:s3:::elasticbeanstalk-us-east-1-123456789012/*
(Elastic Beanstalk 的 S3 存储桶)。
- EC2 以资源标签为条件(例如:
elasticbeanstalk:environment-name
)。
- 您还可以在 ARN 上指定 AWS 区域。
这是您的使用方法。这并不完美,但您对如何使用它有一些想法。显然还有更多可以缩小范围,但这对我来说已经足够了。
第一部分他们真的不能造成任何伤害,所以我现在让他们可以完全访问它们。 (我应该更细化 S3)
我需要 elasticloadbalancing:DeregisterInstancesFromLoadBalancer 所以我添加了这个团队只能在欧洲地区使用它。现在没问题,因为它们就在那里。
第三和第四部分是我的两个 Elastic Beanstalk 应用程序,他们应该有权访问。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"elasticbeanstalk:CreateStorageLocation",
"sqs:Get*",
"sqs:List*",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
],
"Resource": [
"arn:aws:elasticloadbalancing:eu-west-1:12345678910:loadbalancer/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My App"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My Second App"
]
}
}
}
]
}
我一直在努力弄清楚我需要设置哪些权限才能让开发人员在特定的 EB 环境中执行 eb 部署、eb 日志和 eb ssh。我想设置它,以便所有开发人员都可以在我们的开发环境上进行部署和调试,但是只有一个可以进行部署和调试 master。
我还希望它被锁定,这样它们就不会影响任何其他 EC2 实例、RDS 实例、S3 存储桶、负载均衡器等。
有没有人设法为此制定一个(或两个...)IAM 政策?
Elastic Beanstalk 组合了许多 AWS 服务。您需要授予 Elastic Beanstalk 用于读取和更新环境的 AWS 资源的所有特定权限,包括:
- CloudFormation
- EC2
- Auto Scaling 组
- 弹性负载均衡器
- CloudWatch
- S3
- 社交网络
- RDS
- SQS
- 弹性豆茎
这是允许 IAM 用户访问、更新、部署和 SSH 到 Elastic Beanstalk 的所有必需策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ElasticBeanstalkReadOnlyAccess",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"sqs:Get*",
"sqs:List*"
],
"Resource": "*"
},
{
"Sid": "ElasticBeanstalkDeployAccess",
"Effect": "Allow",
"Action": [
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:UpdateAutoScalingGroup",
"cloudformation:UpdateStack",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticbeanstalk:CreateStorageLocation",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:ValidateConfigurationSettings",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"*"
]
}
]
}
以上策略允许 IAM 用户只读和仅部署访问任何 Elastic Beanstalk 和相关服务。
如果您想限制用户访问特定的AWS资源,您需要自行指定ARN和条件。例如:
- 将 S3 资源限制为
arn:aws:s3:::elasticbeanstalk-us-east-1-123456789012/*
(Elastic Beanstalk 的 S3 存储桶)。 - EC2 以资源标签为条件(例如:
elasticbeanstalk:environment-name
)。 - 您还可以在 ARN 上指定 AWS 区域。
这是您的使用方法。这并不完美,但您对如何使用它有一些想法。显然还有更多可以缩小范围,但这对我来说已经足够了。
第一部分他们真的不能造成任何伤害,所以我现在让他们可以完全访问它们。 (我应该更细化 S3)
我需要 elasticloadbalancing:DeregisterInstancesFromLoadBalancer 所以我添加了这个团队只能在欧洲地区使用它。现在没问题,因为它们就在那里。
第三和第四部分是我的两个 Elastic Beanstalk 应用程序,他们应该有权访问。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"elasticbeanstalk:CreateStorageLocation",
"sqs:Get*",
"sqs:List*",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
],
"Resource": [
"arn:aws:elasticloadbalancing:eu-west-1:12345678910:loadbalancer/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My App"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My Second App"
]
}
}
}
]
}