Elastic Beanstalk:允许用户部署
Elastic Beanstalk: allow user to deploy
我不知道如何让我公司的其他人使用 AWS Elastic Beanstalk 部署到(测试)服务器。
本页仅建议对ELB进行全局权限控制:http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.managed-policies.html
标题为 Using IAM to secure Elastic Beanstalk Applications on AWS 的 Rhys Godfrey 博客 post 有一些很好的指导。
We have an Elastic Beanstalk application, and a group of users. This
group of users should be able to monitor and deploy to only that
elastic beanstalk environment, as well as restarting or terminating
application instance. They should not be able to change the
application or environments configuration, or delete the environment.
The user should not be able to affect other applications or AWS
services, but it is acceptable for them to see details on other areas.
We assume the user will be using the AWS console.
我已经重新post这里的 IAM 政策以供参考。
他的方法的优点在于,它通过引用实例 EG Environment=testing 上的 EC2 标记来考虑应用程序环境,这是您在用例中需要的。
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"ElasticBeanstalkEnvironmentPermissions",
"Effect":"Allow",
"Action":[
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:RestartAppServer",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:SwapEnvironmentCNAMEs",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:RequestEnvironmentInfo"
],
"Resource":[
"arn:aws:elasticbeanstalk:eu-west-1:123xxxxxxxxx:environment/ApplicationName/*"
]
},
{
"Sid":"ElasticBeanstalkGlobalPermissions",
"Effect":"Allow",
"Action":[
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:ListAvailableSolutionStacks",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:CreateStorageLocation"
],
"Resource":[
"*"
]
},
{
"Sid":"ElasticBeanstalkApplicationVersionPermissions",
"Effect":"Allow",
"Action":[
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:UpdateApplicationVersion"
],
"Resource":[
"arn:aws:elasticbeanstalk:eu-west-1:123xxxxxxxxx:applicationversion/ApplicationName/*"
]
},
{
"Sid":"ElasticBeanstalkApplicationPermissions",
"Effect":"Allow",
"Action":[
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:UpdateApplication"
],
"Resource":[
"arn:aws:elasticbeanstalk:eu-west-1:123xxxxxxxxx:application/ApplicationName"
]
},
{
"Sid":"Autoscaling",
"Effect":"Allow",
"Action":[
"autoscaling:SuspendProcesses",
"autoscaling:Describe*",
"autoscaling:ResumeProcesses"
],
"Resource":"*"
},
{
"Sid":"Cloudwatch",
"Effect":"Allow",
"Action":[
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource":"*"
},
{
"Sid":"Cloudformation",
"Effect":"Allow",
"Action":[
"cloudformation:GetTemplate",
"cloudformation:Describe*"
],
"Resource":"*"
},
{
"Sid":"IAM",
"Effect":"Allow",
"Action":[
"iam:ListServerCertificates",
"iam:ListInstanceProfiles"
],
"Resource":"*"
},
{
"Sid":"S3ElasticBeanstalkBucket",
"Action":[
"s3:AbortMultipartUpload",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTorrent",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:ListBucket",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect":"Allow",
"Resource":[
"arn:aws:s3:::elasticbeanstalk-eu-west-1-123xxxxxxxxx",
"arn:aws:s3:::elasticbeanstalk-eu-west-1-123xxxxxxxxx/*"
]
},
{
"Sid":"S3Global",
"Effect":"Allow",
"Action":"s3:ListAllMyBuckets",
"Resource":"arn:aws:s3:::*"
},
{
"Sid":"S3ElasticBeanstalkShared",
"Effect":"Allow",
"Action":"s3:*",
"Resource":[
"arn:aws:s3:::elasticbeanstalk-env-resources-eu-west-1",
"arn:aws:s3:::elasticbeanstalk-env-resources-eu-west-1/*"
]
},
{
"Sid":"EC2Global",
"Effect":"Allow",
"Action":[
"ec2:Describe*"
],
"Resource":[
"*"
]
}
]
}
第二个 IAM 策略处理给定环境的 EC2 实例:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"EC2EnvironmentInstances",
"Effect":"Allow",
"Action":[
"ec2:MonitorInstances",
"ec2:UnmonitorInstances",
"ec2:RebootInstances",
"ec2:StopInstances"
],
"Resource":[
"arn:aws:ec2:eu-west-1:123xxxxxxxxx:instance/*"
],
"Condition":{
"StringEquals":{
"ec2:ResourceTag/elasticbeanstalk:environment-name":"EnvironmentName"
}
}
}
]
}
我不知道如何让我公司的其他人使用 AWS Elastic Beanstalk 部署到(测试)服务器。
本页仅建议对ELB进行全局权限控制:http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.managed-policies.html
标题为 Using IAM to secure Elastic Beanstalk Applications on AWS 的 Rhys Godfrey 博客 post 有一些很好的指导。
We have an Elastic Beanstalk application, and a group of users. This group of users should be able to monitor and deploy to only that elastic beanstalk environment, as well as restarting or terminating application instance. They should not be able to change the application or environments configuration, or delete the environment. The user should not be able to affect other applications or AWS services, but it is acceptable for them to see details on other areas. We assume the user will be using the AWS console.
我已经重新post这里的 IAM 政策以供参考。
他的方法的优点在于,它通过引用实例 EG Environment=testing 上的 EC2 标记来考虑应用程序环境,这是您在用例中需要的。
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"ElasticBeanstalkEnvironmentPermissions",
"Effect":"Allow",
"Action":[
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:RestartAppServer",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:SwapEnvironmentCNAMEs",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:RequestEnvironmentInfo"
],
"Resource":[
"arn:aws:elasticbeanstalk:eu-west-1:123xxxxxxxxx:environment/ApplicationName/*"
]
},
{
"Sid":"ElasticBeanstalkGlobalPermissions",
"Effect":"Allow",
"Action":[
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:ListAvailableSolutionStacks",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:CreateStorageLocation"
],
"Resource":[
"*"
]
},
{
"Sid":"ElasticBeanstalkApplicationVersionPermissions",
"Effect":"Allow",
"Action":[
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:UpdateApplicationVersion"
],
"Resource":[
"arn:aws:elasticbeanstalk:eu-west-1:123xxxxxxxxx:applicationversion/ApplicationName/*"
]
},
{
"Sid":"ElasticBeanstalkApplicationPermissions",
"Effect":"Allow",
"Action":[
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:UpdateApplication"
],
"Resource":[
"arn:aws:elasticbeanstalk:eu-west-1:123xxxxxxxxx:application/ApplicationName"
]
},
{
"Sid":"Autoscaling",
"Effect":"Allow",
"Action":[
"autoscaling:SuspendProcesses",
"autoscaling:Describe*",
"autoscaling:ResumeProcesses"
],
"Resource":"*"
},
{
"Sid":"Cloudwatch",
"Effect":"Allow",
"Action":[
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource":"*"
},
{
"Sid":"Cloudformation",
"Effect":"Allow",
"Action":[
"cloudformation:GetTemplate",
"cloudformation:Describe*"
],
"Resource":"*"
},
{
"Sid":"IAM",
"Effect":"Allow",
"Action":[
"iam:ListServerCertificates",
"iam:ListInstanceProfiles"
],
"Resource":"*"
},
{
"Sid":"S3ElasticBeanstalkBucket",
"Action":[
"s3:AbortMultipartUpload",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTorrent",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:ListBucket",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect":"Allow",
"Resource":[
"arn:aws:s3:::elasticbeanstalk-eu-west-1-123xxxxxxxxx",
"arn:aws:s3:::elasticbeanstalk-eu-west-1-123xxxxxxxxx/*"
]
},
{
"Sid":"S3Global",
"Effect":"Allow",
"Action":"s3:ListAllMyBuckets",
"Resource":"arn:aws:s3:::*"
},
{
"Sid":"S3ElasticBeanstalkShared",
"Effect":"Allow",
"Action":"s3:*",
"Resource":[
"arn:aws:s3:::elasticbeanstalk-env-resources-eu-west-1",
"arn:aws:s3:::elasticbeanstalk-env-resources-eu-west-1/*"
]
},
{
"Sid":"EC2Global",
"Effect":"Allow",
"Action":[
"ec2:Describe*"
],
"Resource":[
"*"
]
}
]
}
第二个 IAM 策略处理给定环境的 EC2 实例:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"EC2EnvironmentInstances",
"Effect":"Allow",
"Action":[
"ec2:MonitorInstances",
"ec2:UnmonitorInstances",
"ec2:RebootInstances",
"ec2:StopInstances"
],
"Resource":[
"arn:aws:ec2:eu-west-1:123xxxxxxxxx:instance/*"
],
"Condition":{
"StringEquals":{
"ec2:ResourceTag/elasticbeanstalk:environment-name":"EnvironmentName"
}
}
}
]
}