ElasticBeanstalk permissions needed to deploy new version via AWS CLI
6,014
From this guide it looks like you might need S3 access for the elastic beanstalk bucket as well, IE:
{
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetBucketPolicy",
"s3:CreateBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-[region]-[accountid]",
"arn:aws:s3:::elasticbeanstalk-[region]-[accountid]/*"
]
}
Related videos on Youtube
Author by
Usama
Updated on September 18, 2022Comments
-
Usama over 1 year
I have an IAM policy setup that I thought provided the right permissions to deploy a new version to an Elastic Beanstalk application. I'm still getting
InsufficientPrivilegesException
, specifically:aws elasticbeanstalk update-environment --environment-name LearnTfsBff --version-label LearnTfsBff-30
An error occurred (InsufficientPrivilegesException) when calling the UpdateEnvironment operation: Access Denied
This is the policy set for the deployment user:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:*", "cloudformation:GetTemplate", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "autoscaling:*", "cloudfront:CreateInvalidation", "ec2:describeVpcs", "ec2:DescribeImages", "elasticbeanstalk:CreateApplicationVersion", "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:DescribeApplicationVersions", "elasticbeanstalk:DescribeEnvironments", "elasticbeanstalk:UpdateEnvironment", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "s3:ListAllMyBuckets", ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::learn-tfs-builds" }, { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": "arn:aws:s3:::learn-tfs-*" } ] }
I tried adding
"elasticbeanstalk:*"
as an allowed action and that did not resolve the privileges issue. I added"*"
as allowed and that does resolve it, but is not a allowable solution.How can I debug what specific permissions are needed within AWS?
Thanks,
Sam