I am deploying with this IAM using Codeship and Circle CI to Elastic Beanstalk. I had a lot of trouble with this config. I talked to the aws support for about 6 hours until this worked properly, so, I guess it is worth to share.
UPDATE: In the end, I have to use the AWSElasticBeanstalkFullAccess
policy. My custom policy keep breaking every week with some new added permission or some EB internal change. Anyway, the IAM I was using is below.
This works for me with CircleCI and EB Cli.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DeleteApplicationVersion",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:CreateStorageLocation",
"elasticbeanstalk:DescribeEvents"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"sns:CreateTopic",
"sns:GetTopicAttributes",
"sns:ListSubscriptionsByTopic",
"sns:Subscribe"
],
"Effect": "Allow",
"Resource": "arn:aws:sns:*:your-account-id:*"
},
{
"Action": [
"autoscaling:SuspendProcesses",
"autoscaling:DescribeScalingActivities",
"autoscaling:ResumeProcesses",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:PutNotificationConfiguration"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cloudformation:GetTemplate",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:UpdateStack",
"cloudformation:CancelUpdateStack"
],
"Effect": "Allow",
"Resource": "arn:aws:cloudformation:*:your-account-id:*"
},
{
"Action": [
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetBucketPolicy",
"s3:CreateBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::elasticbeanstalk*",
"arn:aws:s3:::elasticbeanstalk-*-your-account-id",
"arn:aws:s3:::elasticbeanstalk-*-your-account-id/*"
]
}
]
}
You have to replace your-account-id
with your aws account id.
For codeship you have to add permissions to a bucket, because they first upload the build to s3 and then deploy it. Something like that:
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::deploy-bucket",
"arn:aws:s3:::deploy-bucket/*",
"arn:aws:s3:::deploy-bucket-2",
"arn:aws:s3:::deploy-bucket-2/*"
]
},
Note: I added this IAM to the group of the users that can deploy.
Thanks for sharing. I was beginning to pull my hair out.
Just had this randomly pop up on my last deployment:
Service:AmazonEC2, Message:You do not have permission to perform the 'ec2:DescribeSubnets' action.
So you'll want to add that do your policy as well.