弹性魔豆部署停留在更新配置设置 [英] Elastic Beanstalk deployment stuck on updating config settings

问题描述

我一直在测试我的持续部署的设置，试图让一组IAM权限最小，让我的CI IAM组部署到我的分期弹性青苗环境。

I've been testing my continuous deployment setup, trying to get to a minimal set of IAM permissions that will allow my CI IAM group to deploy to my "staging" Elastic Beanstalk environment.

在我的最新的测试，我的部署卡住了。在控制台的最后一个事件是：

On my latest test, my deployment got stuck. The last event in the console is:

Updating environment staging's configuration settings.

幸运的是，部署将超时30分钟后，因此对环境，可以再次部署

Luckily, the deployment will time out after 30 minutes, so the environment can be deployed to again.

这似乎是一个权限问题，因为如果我承认 S3：* 上的所有资源，部署工作。看来，调用 UpdateEnvironment 时，弹性魔豆做一些事情，以S3 ，但我想不出什么。

It seems to be a permissions issue, because if I grant s3:* on all resources, the deployment works. It seems that when calling UpdateEnvironment, Elastic Beanstalk does something to S3, but I can't figure out what.

我已经尝试了以下政策给予EB完全访问其资源斗：

I have tried the following policy to give EB full access to its resource bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT/resources/_runtime/_embedded_extensions/APP",
                "arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT/resources/_runtime/_embedded_extensions/APP/*",
                "arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT/resources/environments/ENV_ID",
                "arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT/resources/environments/ENV_ID/*"
            ]
        }
    ]
}

其中，区域，帐户， APP ，和 ENV_ID 是我的AWS地区，账号，应用程序名称和环境ID，分别为。

Where REGION, ACCOUNT, APP, and ENV_ID are my AWS region, account number, application name, and environment ID, respectively.

有没有人有一个线索，这S3的行动和资源EB试图访问？

Does anyone have a clue which S3 action and resource EB is trying to access?

推荐答案

<一个href="https://nudaygames.squarespace.com/blog/2014/5/26/deploying-to-elastic-beanstalk-from-your-continuous-integration-system">Shared这在你的博客已经的，但是这可能有一个更广泛的受众所以这里有云：

Shared this on your blog already, but this might have a broader audience so here it goes:

在这个后续行动，该ElastiBeanstalk团队给我提供了关于S3权限如下回答：

Following up on this, the ElastiBeanstalk team has provided me with the following answer regarding the S3 permissions:

[...]看下面的要求，会略有锁定版本的工作，我已经把它贴政策，这种情况下，这将给予S3：？GetObject的在开始elasticbeanstalk桶这实质上是允许访问所有elasticbeanstalk桶，包括我们自己的人。你唯一需要做的与我们的桶是一个GetObject的，所以这应该是足够的做你需要的一切。

"[...]Seeing the requirement below, would a slightly locked down version work? I've attached a policy to this case which will grant s3:GetObject on buckets starting with elasticbeanstalk. This is essentially to allow access to all elasticbeanstalk buckets, including the ones that we own. The only thing you'll need to do with our bucket is a GetObject, so this should be enough to do everything you need."

所以好像ElasticBeanstalk正在访问桶了任何人的境界，才能正常工作（这是有种不好的，但是这只是事情是这样的）。

So it seems like ElasticBeanstalk is accessing buckets out of anyone's realm in order to work properly (which is kind of bad, but that's just the way it is).

我来自这一点，以下政策将足以把事情与S3的工作：

Coming from this, the following policy will be sufficient for getting things to work with S3:

{
  "Action": "s3:*",
  "Resource": [
    "arn:aws:s3:::elasticbeanstalk-<region>-<account_id>",
    "arn:aws:s3:::elasticbeanstalk-<region>-<account_id>/",
    "arn:aws:s3:::elasticbeanstalk-<region>-<account_id>/*"
  ],
  "Effect": "Allow"
},
{
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::elasticbeanstalk*",
  "Effect": "Allow"
}

显然，你需要包装成IAM了解正确的政策声明这一点。有关IAM策略你所有的previous假设都证明是正确的，但这样我猜这不应该是一个问题。

Obviously, you need to wrap this into a proper policy statement that IAM understands. All your previous assumptions about IAM policies have proven right though so I'm guessing this shouldn't be an issue.

这篇关于弹性魔豆部署停留在更新配置设置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！