ElasticBeanstalk permissions needed to deploy new version via AWS CLI
6,014
From this guide it looks like you might need S3 access for the elastic beanstalk bucket as well, IE:
{
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetBucketPolicy",
"s3:CreateBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-[region]-[accountid]",
"arn:aws:s3:::elasticbeanstalk-[region]-[accountid]/*"
]
}
Related videos on Youtube
20 : 14
AWS-12 Deploying app in elastic beanstalk using EB CLI
![[ AWS 10 ] Elastic Beanstalk | Deploying your first application](https://i.ytimg.com/vi/254OsG2ZPLA/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLC5LJORT7MQ5UZ2raYQiLq66SKDWg)
31 : 40
[ AWS 10 ] Elastic Beanstalk | Deploying your first application
![[ AWS 12 ] Deploying app in Beanstalk using EB CLI](https://i.ytimg.com/vi/UVjYHgNMzpg/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLCV6aMc7VzBUmevuSN3NaDDefdqlQ)
15 : 37
[ AWS 12 ] Deploying app in Beanstalk using EB CLI
16 : 12
Deploying Node.js Apps on AWS Elastic Beanstalk
02 : 36
DevOps & SysAdmins: ElasticBeanstalk permissions needed to deploy new version via AWS CLI
Author by
Usama
Updated on September 18, 2022Comments
-
Usama over 1 year
I have an IAM policy setup that I thought provided the right permissions to deploy a new version to an Elastic Beanstalk application. I'm still getting
InsufficientPrivilegesException, specifically:aws elasticbeanstalk update-environment --environment-name LearnTfsBff --version-label LearnTfsBff-30An error occurred (InsufficientPrivilegesException) when calling the UpdateEnvironment operation: Access Denied
This is the policy set for the deployment user:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:*", "cloudformation:GetTemplate", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "autoscaling:*", "cloudfront:CreateInvalidation", "ec2:describeVpcs", "ec2:DescribeImages", "elasticbeanstalk:CreateApplicationVersion", "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:DescribeApplicationVersions", "elasticbeanstalk:DescribeEnvironments", "elasticbeanstalk:UpdateEnvironment", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "s3:ListAllMyBuckets", ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::learn-tfs-builds" }, { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": "arn:aws:s3:::learn-tfs-*" } ] }I tried adding
"elasticbeanstalk:*"as an allowed action and that did not resolve the privileges issue. I added"*"as allowed and that does resolve it, but is not a allowable solution.How can I debug what specific permissions are needed within AWS?
Thanks,
Sam