Elastic Beanstalk IAM 开发人员权限 [英] Elastic Beanstalk IAM developer permissions
问题描述
我一直试图弄清楚我需要设置哪些权限才能让开发人员在特定 EB 环境中执行 eb 部署、eb 日志和 eb ssh.我想设置为所有开发者都可以在我们的开发环境中进行部署和调试,但只有一个人可以进行部署和调试大师.
I have been trying to figure out what permissions I need to set to let a developer do eb deploy, eb logs and eb ssh on a particular EB environment. I want to set it so that all the developers can do deploy and debug on our develop environment, but that only one can do deploy and debug master.
我还希望将其锁定,以便它们不会影响任何其他 EC2 实例、RDS 实例、S3 存储桶、负载均衡器等.
I also want it locked down so that they can't affect any other EC2-instances, RDS-instances, S3-buckets, Load Balancers and so on.
是否有人设法为此制定了一个 IAM 政策(或两个...)?
Has anybody managed to put together an IAM policy (or two...) for this?
推荐答案
Elastic Beanstalk 组成了许多 AWS 服务.您需要为 Elastic Beanstalk 用于读取和更新环境的 AWS 资源授予所有特定权限,包括:
Elastic Beanstalk composes many AWS services. You need to give all specific permission to AWS resources those are used by Elastic Beanstalk to read and update the environment, including:
- CloudFormation
- EC2
- Auto Scaling 组
- 弹性负载均衡器
- 云观察
- S3
- 社交网络
- RDS
- SQS
- 弹性豆茎
这是允许 IAM 用户访问、更新、部署和 ssh 到 Elastic Beanstalk 的所有必需策略:
This is all required policy to allow IAM user access, update, deploy and ssh to Elastic Beanstalk:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ElasticBeanstalkReadOnlyAccess",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"sqs:Get*",
"sqs:List*"
],
"Resource": "*"
},
{
"Sid": "ElasticBeanstalkDeployAccess",
"Effect": "Allow",
"Action": [
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:UpdateAutoScalingGroup",
"cloudformation:UpdateStack",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticbeanstalk:CreateStorageLocation",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:ValidateConfigurationSettings",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"*"
]
}
]
}
上述政策允许 IAM 用户只读和仅部署访问任何 Elastic Beanstalk 和相关服务.
The above policy is to allow IAM users to read-only and deploy-only access to any Elastic Beanstalk and related services.
如果您想限制用户访问特定的 AWS 资源,您需要自行指定 ARN 和条件.例如:
If you want to restrict access the users to a particular AWS resources, you need to specify the ARN and conditions by your self. For example:
- 将 S3 资源限制为类似
arn:aws:s3::elasticbeanstalk-us-east-1-123456789012/*(Elastic Beanstalk 的 S3 存储桶). - 以资源标签为条件的 EC2(例如:
elasticbeanstalk:environment-name). - 您还可以在 ARN 上指定 AWS 区域.
- Restrict S3 resources to something like
arn:aws:s3:::elasticbeanstalk-us-east-1-123456789012/*(Elastic Beanstalk's S3 Bucket). - EC2 with Resource Tag as conditional (like:
elasticbeanstalk:environment-name). - You can also specify AWS region on ARN.
这篇关于Elastic Beanstalk IAM 开发人员权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
