AWS IAM Policy elasticbeanstalk:DescribeEnvironmentHealth

5
votes

What I Want To Achieve

I am trying to grant an IAM user with a REST API token permission to described environment health on a specific elastic beanstalk application via the AWS CLI.

The Problem

When I run with the CLI command:

aws elasticbeanstalk describe-environment-health --environment-name my-env-name --attribute-names "Status" "Color" "Causes" "InstancesHealth" "HealthStatus" "RefreshedAt" --profile my-profile

I get the error: A client error (AccessDenied) occurred when calling the DescribeEnvironmentHealth operation: User: arn:aws:iam::myaccountid:user/myuser is not authorized to perform: elasticbeanstalk:DescribeEnvironmentHealth

with the --debug flag I can see a HTTP 403 response.

Extra Details

The IAM policy has the action "elasticbeanstalk:DescribeEnvironmentHealth" on the resource: "arn:aws:elasticbeanstalk:eu-west-1:myaccountid:environment/my-app-name/my-env-name*"

  • I have double checked the account id, app and env name.
  • I can perform other actions just fine such as DescribeEnvironments when I add this action instead.
  • I have verified on the particular resource ARN with this policy using the IAM simulator when selecting the user and it says access is granted.
  • The version of the CLI is aws-cli/1.10.6 Python/2.7.11 Darwin/15.3.0 botocore/1.3.28
  • As a test I temporarily relaxed the policy to have the action elasticbeanstalk:* and it still doesn't work.

Questions

  1. How can I further debug this issue?
  2. Why does the IAM policy simulator say the policy does grant access but access is denied viu the CLI?

Full Policy

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1455880772092",
            "Action": [
                "ec2:*",
                "s3:*",
                "elasticloadbalancing:*",
                "autoscaling:*",
                "cloudwatch:*",
                "s3:*",
                "sns:*",
                "rds:*",
                "cloudformation:*",
                "elasticbeanstalk:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:application/app-name",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1::solutionstack/*",
                "arn:aws:s3:::elasticbeanstalk-eu-west-1-{accountId}*"
            ]
        },
        {
            "Sid": "Stmt1455891876139",
            "Action": [
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:ListBucket",
                "s3:CreateBucket",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:Get*"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::elasticbeanstalk-eu-west-1-{bucketId}*"
        }
    ]
}
1
amazon-web-servicesamazon-elastic-beanstalkamazon-iamaws-cli
Please include the policymickzer
@mickzer policy added to details. It is currently way more permissive than I want it to be - but even like this the user can't describe environment health... but then can create new versions, describe the environment, even start a deploy of a new version... just not describe health.David
Were you able to figure this out? I'm facing this issue right now. Other permissions, including UpdateEnvironment and TerminateEnvironment, work fine.Manish Honnatti

1 Answers

0
votes

For some reason elasticbeanstalk:DescribeEnvironmentHealth worked for me only with "Resource": "*".

So I've separated write/read permissions, allowing "Resource": "*" only for read. Here is my full policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:CreateApplicationVersion",
                "elasticbeanstalk:UpdateEnvironment"
            ],
            "Resource": [
                "arn:aws:elasticbeanstalk:eu-central-1:[account-id]:application/[application-name]",
                "arn:aws:elasticbeanstalk:*:*:environment/*/*",
                "arn:aws:elasticbeanstalk:*:*:applicationversion/*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
                "elasticbeanstalk:DescribeEnvironmentResources",
                "elasticbeanstalk:DescribeEnvironments",
                "elasticbeanstalk:DescribeApplicationVersions",
                "elasticbeanstalk:ListPlatformVersions",
                "elasticbeanstalk:DescribeEnvironmentManagedActions",
                "elasticbeanstalk:ValidateConfigurationSettings",
                "elasticbeanstalk:CheckDNSAvailability",
                "elasticbeanstalk:RequestEnvironmentInfo",
                "elasticbeanstalk:DescribeInstancesHealth",
                "elasticbeanstalk:DescribeEnvironmentHealth",
                "elasticbeanstalk:DescribeConfigurationSettings",
                "elasticbeanstalk:DescribeConfigurationOptions",
                "elasticbeanstalk:RetrieveEnvironmentInfo"
            ],
            "Resource": "*"
        }
    ]
}