Forked from RobertoSchneiders/elasticbeanstalk_deploy_iam_policy.md
Created
December 26, 2015 09:12
-
-
Save ayarulin/c9a43b1c10940b293829 to your computer and use it in GitHub Desktop.
Revisions
-
RobertoSchneiders revised this gist
Sep 28, 2015 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,7 @@ I am deploying with this IAM using Codeship and Circle CI to Elastic Beanstalk. I had a lot of trouble with this config. I talked to the aws support for about 6 hours until this worked properly, so, I guess it is worth to share. UPDATE: In the end, I have to use the `AWSElasticBeanstalkFullAccess` policy. My custom policy keep breaking every week with some new added permission or some EB internal change. Anyway, the IAM I was using is below. This works for me with CircleCI and EB Cli. ```json { -
Aug 31, 2015 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -60,7 +60,8 @@ This works for me with CircleCI and EB Cli. "ec2:DescribeVpcs", "ec2:DescribeAddresses", "ec2:DescribeInstances", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress" ], "Effect": "Allow", "Resource": "*" -
Aug 31, 2015 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -59,7 +59,8 @@ This works for me with CircleCI and EB Cli. "ec2:DescribeSecurityGroups", "ec2:DescribeVpcs", "ec2:DescribeAddresses", "ec2:DescribeInstances", "ec2:RevokeSecurityGroupIngress" ], "Effect": "Allow", "Resource": "*" -
Aug 27, 2015 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -33,7 +33,8 @@ This works for me with CircleCI and EB Cli. "autoscaling:DescribeScalingActivities", "autoscaling:ResumeProcesses", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:PutNotificationConfiguration" ], "Effect": "Allow", "Resource": "*" -
Aug 5, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,107 @@ I am deploying with this IAM using Codeship and Circle CI to Elastic Beanstalk. I had a lot of trouble with this config. I talked to the aws support for about 6 hours until this worked properly, so, I guess it is worth to share. This works for me with CircleCI and EB Cli. ```json { "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticbeanstalk:CreateApplicationVersion", "elasticbeanstalk:DescribeEnvironments", "elasticbeanstalk:DeleteApplicationVersion", "elasticbeanstalk:UpdateEnvironment", "elasticbeanstalk:CreateStorageLocation", "elasticbeanstalk:DescribeEvents" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "sns:CreateTopic", "sns:GetTopicAttributes", "sns:ListSubscriptionsByTopic", "sns:Subscribe" ], "Effect": "Allow", "Resource": "arn:aws:sns:*:your-account-id:*" }, { "Action": [ "autoscaling:SuspendProcesses", "autoscaling:DescribeScalingActivities", "autoscaling:ResumeProcesses", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudformation:GetTemplate", "cloudformation:DescribeStackResources", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:UpdateStack", "cloudformation:CancelUpdateStack" ], "Effect": "Allow", "Resource": "arn:aws:cloudformation:*:your-account-id:*" }, { "Action": [ "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcs", "ec2:DescribeAddresses", "ec2:DescribeInstances" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl", "s3:ListBucket", "s3:DeleteObject", "s3:GetBucketPolicy", "s3:CreateBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::elasticbeanstalk*", "arn:aws:s3:::elasticbeanstalk-*-your-account-id", "arn:aws:s3:::elasticbeanstalk-*-your-account-id/*" ] } ] } ``` You have to replace `your-account-id` with your aws account id. For codeship you have to add permissions to a bucket, because they first upload the build to s3 and then deploy it. Something like that: ```json { "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::deploy-bucket", "arn:aws:s3:::deploy-bucket/*", "arn:aws:s3:::deploy-bucket-2", "arn:aws:s3:::deploy-bucket-2/*" ] }, ``` Note: I added this IAM to the group of the users that can deploy.