3
votes

I can't figure out how to let other people in my company deploy to a (test) server with AWS Elastic Beanstalk.

This page suggests only global permission control over the ELB: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.managed-policies.html

1
do you want to restrict it to specific beanstalk applications? - Shibashis
Yes, to a specific application and specific environment. Can't find how to. - Igor
Somebody seems to have shared it already on github. gist.github.com/magnetikonline/5034bdbb049181a96ac9 - Shibashis
Looks promising, thank you. Will try that. - Igor

1 Answers

3
votes

The Rhys Godfrey blog post titled Using IAM to secure Elastic Beanstalk Applications on AWS has some good guidance.

We have an Elastic Beanstalk application, and a group of users. This group of users should be able to monitor and deploy to only that elastic beanstalk environment, as well as restarting or terminating application instance. They should not be able to change the application or environments configuration, or delete the environment. The user should not be able to affect other applications or AWS services, but it is acceptable for them to see details on other areas. We assume the user will be using the AWS console.

I have reposted the IAM policies here for reference.

The nice thing about his approach is that it considers the application environment by referencing an EC2 tag on the instances EG Environment=testing, which you require in your use case.

{  
   "Version":"2012-10-17",
   "Statement":[  
      {  
         "Sid":"ElasticBeanstalkEnvironmentPermissions",
         "Effect":"Allow",
         "Action":[  
            "elasticbeanstalk:DescribeEnvironmentResources",
            "elasticbeanstalk:DescribeEnvironments",
            "elasticbeanstalk:DescribeEvents",
            "elasticbeanstalk:RestartAppServer",
            "elasticbeanstalk:RetrieveEnvironmentInfo",
            "elasticbeanstalk:SwapEnvironmentCNAMEs",
            "elasticbeanstalk:UpdateEnvironment",
            "elasticbeanstalk:RequestEnvironmentInfo"
         ],
         "Resource":[  
            "arn:aws:elasticbeanstalk:eu-west-1:123xxxxxxxxx:environment/ApplicationName/*"
         ]
      },
      {  
         "Sid":"ElasticBeanstalkGlobalPermissions",
         "Effect":"Allow",
         "Action":[  
            "elasticbeanstalk:DescribeConfigurationOptions",
            "elasticbeanstalk:DescribeConfigurationSettings",
            "elasticbeanstalk:ListAvailableSolutionStacks",
            "elasticbeanstalk:ValidateConfigurationSettings",
            "elasticbeanstalk:CheckDNSAvailability",
            "elasticbeanstalk:CreateStorageLocation"
         ],
         "Resource":[  
            "*"
         ]
      },
      {  
         "Sid":"ElasticBeanstalkApplicationVersionPermissions",
         "Effect":"Allow",
         "Action":[  
            "elasticbeanstalk:CreateApplicationVersion",
            "elasticbeanstalk:DescribeApplicationVersions",
            "elasticbeanstalk:UpdateApplicationVersion"
         ],
         "Resource":[  
            "arn:aws:elasticbeanstalk:eu-west-1:123xxxxxxxxx:applicationversion/ApplicationName/*"
         ]
      },
      {  
         "Sid":"ElasticBeanstalkApplicationPermissions",
         "Effect":"Allow",
         "Action":[  
            "elasticbeanstalk:DescribeApplications",
            "elasticbeanstalk:UpdateApplication"
         ],
         "Resource":[  
            "arn:aws:elasticbeanstalk:eu-west-1:123xxxxxxxxx:application/ApplicationName"
         ]
      },
      {  
         "Sid":"Autoscaling",
         "Effect":"Allow",
         "Action":[  
            "autoscaling:SuspendProcesses",
            "autoscaling:Describe*",
            "autoscaling:ResumeProcesses"
         ],
         "Resource":"*"
      },
      {  
         "Sid":"Cloudwatch",
         "Effect":"Allow",
         "Action":[  
            "cloudwatch:Describe*",
            "cloudwatch:GetMetricStatistics",
            "cloudwatch:ListMetrics"
         ],
         "Resource":"*"
      },
      {  
         "Sid":"Cloudformation",
         "Effect":"Allow",
         "Action":[  
            "cloudformation:GetTemplate",
            "cloudformation:Describe*"
         ],
         "Resource":"*"
      },
      {  
         "Sid":"IAM",
         "Effect":"Allow",
         "Action":[  
            "iam:ListServerCertificates",
            "iam:ListInstanceProfiles"
         ],
         "Resource":"*"
      },
      {  
         "Sid":"S3ElasticBeanstalkBucket",
         "Action":[  
            "s3:AbortMultipartUpload",
            "s3:GetBucketAcl",
            "s3:GetBucketCORS",
            "s3:GetBucketLocation",
            "s3:GetBucketLogging",
            "s3:GetBucketNotification",
            "s3:GetBucketPolicy",
            "s3:GetBucketRequestPayment",
            "s3:GetBucketTagging",
            "s3:GetBucketVersioning",
            "s3:GetBucketWebsite",
            "s3:GetLifecycleConfiguration",
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:GetObjectTorrent",
            "s3:GetObjectVersion",
            "s3:GetObjectVersionAcl",
            "s3:GetObjectVersionTorrent",
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:ListBucket",
            "s3:GetObject",
            "s3:DeleteObject"
         ],
         "Effect":"Allow",
         "Resource":[  
            "arn:aws:s3:::elasticbeanstalk-eu-west-1-123xxxxxxxxx",
            "arn:aws:s3:::elasticbeanstalk-eu-west-1-123xxxxxxxxx/*"
         ]
      },
      {  
         "Sid":"S3Global",
         "Effect":"Allow",
         "Action":"s3:ListAllMyBuckets",
         "Resource":"arn:aws:s3:::*"
      },
      {  
         "Sid":"S3ElasticBeanstalkShared",
         "Effect":"Allow",
         "Action":"s3:*",
         "Resource":[  
            "arn:aws:s3:::elasticbeanstalk-env-resources-eu-west-1",
            "arn:aws:s3:::elasticbeanstalk-env-resources-eu-west-1/*"
         ]
      },
      {  
         "Sid":"EC2Global",
         "Effect":"Allow",
         "Action":[  
            "ec2:Describe*"
         ],
         "Resource":[  
            "*"
         ]
      }
   ]
}

The second IAM policy handles EC2 instances for a given environment:

{  
   "Version":"2012-10-17",
   "Statement":[  
      {  
         "Sid":"EC2EnvironmentInstances",
         "Effect":"Allow",
         "Action":[  
            "ec2:MonitorInstances",
            "ec2:UnmonitorInstances",
            "ec2:RebootInstances",
            "ec2:StopInstances"
         ],
         "Resource":[  
            "arn:aws:ec2:eu-west-1:123xxxxxxxxx:instance/*"
         ],
         "Condition":{  
            "StringEquals":{  
               "ec2:ResourceTag/elasticbeanstalk:environment-name":"EnvironmentName"
            }
         }
      }
   ]
}