AWS IAM Policy elasticbeanstalk:DescribeEnvironmentHealth

时间:2016-02-23 13:27:23

标签: amazon-web-services elastic-beanstalk amazon-iam aws-cli

我想要实现的目标

我正在尝试通过AWS CLI授予具有REST API令牌权限的IAM用户以描述特定弹性beanstalk应用程序上的环境运行状况。

问题

当我使用CLI命令运行时:

aws elasticbeanstalk describe-environment-health --environment-name my-env-name --attribute-names "Status" "Color" "Causes" "InstancesHealth" "HealthStatus" "RefreshedAt" --profile my-profile

我收到错误:调用DescribeEnvironmentHealth操作时发生客户端错误(AccessDenied):用户:arn:aws:iam :: myaccountid:用户/ myuser无权执行:elasticbeanstalk:DescribeEnvironmentHealth

带有--debug标记的

我可以看到HTTP 403响应。

额外详情

IAM策略在资源上具有操作"elasticbeanstalk:DescribeEnvironmentHealth""arn:aws:elasticbeanstalk:eu-west-1:myaccountid:environment/my-app-name/my-env-name*"

  • 我仔细检查了帐户ID,应用和环境名称。
  • 当我添加此操作时,我可以执行其他操作,例如DescribeEnvironments
  • 我在选择用户时使用IAM模拟器在特定资源ARN上验证了此策略,表示已授予访问权限
  • CLI的版本为aws-cli/1.10.6 Python/2.7.11 Darwin/15.3.0 botocore/1.3.28
  • 作为测试,我暂时放宽了政策以采取行动elasticbeanstalk:*,但仍然无效。

问题

  1. 如何进一步调试此问题?
  2. 为什么IAM策略模拟器会说策略确实授予了访问权限,但是CLI会拒绝访问?

    3. 完整政策

        {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1455880772092",
            "Action": [
                "ec2:*",
                "s3:*",
                "elasticloadbalancing:*",
                "autoscaling:*",
                "cloudwatch:*",
                "s3:*",
                "sns:*",
                "rds:*",
                "cloudformation:*",
                "elasticbeanstalk:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:application/app-name",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1::solutionstack/*",
                "arn:aws:s3:::elasticbeanstalk-eu-west-1-{accountId}*"
            ]
        },
        {
            "Sid": "Stmt1455891876139",
            "Action": [
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:ListBucket",
                "s3:CreateBucket",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:Get*"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::elasticbeanstalk-eu-west-1-{bucketId}*"
        }
    ]
}

1 个答案:

答案 0 :(得分:0)

出于某些原因,elasticbeanstalk:DescribeEnvironmentHealth只为我"Resource": "*"工作。

所以我已经分开了写/读权限,只允许"Resource": "*"进行读取。这是我的完整政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:CreateApplicationVersion",
                "elasticbeanstalk:UpdateEnvironment"
            ],
            "Resource": [
                "arn:aws:elasticbeanstalk:eu-central-1:[account-id]:application/[application-name]",
                "arn:aws:elasticbeanstalk:*:*:environment/*/*",
                "arn:aws:elasticbeanstalk:*:*:applicationversion/*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
                "elasticbeanstalk:DescribeEnvironmentResources",
                "elasticbeanstalk:DescribeEnvironments",
                "elasticbeanstalk:DescribeApplicationVersions",
                "elasticbeanstalk:ListPlatformVersions",
                "elasticbeanstalk:DescribeEnvironmentManagedActions",
                "elasticbeanstalk:ValidateConfigurationSettings",
                "elasticbeanstalk:CheckDNSAvailability",
                "elasticbeanstalk:RequestEnvironmentInfo",
                "elasticbeanstalk:DescribeInstancesHealth",
                "elasticbeanstalk:DescribeEnvironmentHealth",
                "elasticbeanstalk:DescribeConfigurationSettings",
                "elasticbeanstalk:DescribeConfigurationOptions",
                "elasticbeanstalk:RetrieveEnvironmentInfo"
            ],
            "Resource": "*"
        }
    ]
}
相关问题
最新问题