Gus*_*taf 9 amazon-iam amazon-elastic-beanstalk
我一直试图弄清楚我需要设置哪些权限才能让开发人员在特定的EB环境中进行eb部署,eb日志和eb ssh.我想设置它以便所有开发人员都可以在我们的开发环境中进行部署和调试,但只有一个可以部署和调试master.
我还希望它被锁定,以便它们不会影响任何其他EC2实例,RDS实例,S3-buckets,Load Balancers等.
有没有人设法为此制定了IAM政策(或两个......)?
Edw*_*uel 12
Elastic Beanstalk构成了许多AWS服务.您需要为Elastic Beanstalk用于读取和更新环境的AWS资源授予所有特定权限,包括:
这是允许IAM用户访问,更新,部署和ssh到Elastic Beanstalk的所有必需策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ElasticBeanstalkReadOnlyAccess",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"sqs:Get*",
"sqs:List*"
],
"Resource": "*"
},
{
"Sid": "ElasticBeanstalkDeployAccess",
"Effect": "Allow",
"Action": [
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:UpdateAutoScalingGroup",
"cloudformation:UpdateStack",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticbeanstalk:CreateStorageLocation",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:ValidateConfigurationSettings",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"*"
]
}
]
}
上述策略允许IAM用户对任何Elastic Beanstalk和相关服务进行只读和部署访问.
如果要限制用户访问特定AWS资源,则需要自行指定ARN和条件.例如:
arn:aws:s3:::elasticbeanstalk-us-east-1-123456789012/*(Elastic Beanstalk的S3 Bucket).elasticbeanstalk:environment-name.| 归档时间: |
|
| 查看次数: |
2614 次 |
| 最近记录: |