Dav*_*vid 5 amazon-web-services amazon-iam aws-cli amazon-elastic-beanstalk
我正在尝试通过 AWS CLI 向具有 REST API 令牌的 IAM 用户授予在特定弹性 beantalk 应用程序上描述环境运行状况的权限。
当我使用 CLI 命令运行时:
aws elasticbeanstalk describe-environment-health --environment-name my-env-name --attribute-names "Status" "Color" "Causes" "InstancesHealth" "HealthStatus" "RefreshedAt" --profile my-profile
我收到错误:调用 DescribeEnvironmentHealth 操作时发生客户端错误 (AccessDenied):用户:arn:aws:iam::myaccountid:user/myuser 未被授权执行:elasticbeanstalk:DescribeEnvironmentHealth
使用--debug标志,我可以看到HTTP 403响应。
IAM 策略"elasticbeanstalk:DescribeEnvironmentHealth"对资源执行以下操作:
"arn:aws:elasticbeanstalk:eu-west-1:myaccountid:environment/my-app-name/my-env-name*"
DescribeEnvironments当我添加此操作时。aws-cli/1.10.6 Python/2.7.11 Darwin/15.3.0 botocore/1.3.28elasticbeanstalk:*,但它仍然不起作用。 {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1455880772092",
"Action": [
"ec2:*",
"s3:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"rds:*",
"cloudformation:*",
"elasticbeanstalk:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:application/app-name",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1::solutionstack/*",
"arn:aws:s3:::elasticbeanstalk-eu-west-1-{accountId}*"
]
},
{
"Sid": "Stmt1455891876139",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:Get*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elasticbeanstalk-eu-west-1-{bucketId}*"
}
]
}
由于某种原因,elasticbeanstalk:DescribeEnvironmentHealth仅对我有用"Resource": "*"。
所以我将写/读权限分开,"Resource": "*"只允许读。这是我的完整政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:UpdateEnvironment"
],
"Resource": [
"arn:aws:elasticbeanstalk:eu-central-1:[account-id]:application/[application-name]",
"arn:aws:elasticbeanstalk:*:*:environment/*/*",
"arn:aws:elasticbeanstalk:*:*:applicationversion/*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:ListPlatformVersions",
"elasticbeanstalk:DescribeEnvironmentManagedActions",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:RetrieveEnvironmentInfo"
],
"Resource": "*"
}
]
}
| 归档时间: |
|
| 查看次数: |
831 次 |
| 最近记录: |