AWS IAM 策略 elasticbeanstalk:DescribeEnvironmentHealth
Posted
技术标签:
【中文标题】AWS IAM 策略 elasticbeanstalk:DescribeEnvironmentHealth【英文标题】:AWS IAM Policy elasticbeanstalk:DescribeEnvironmentHealth 【发布时间】:2016-06-05 08:47:46 【问题描述】:我想要实现的目标
我正在尝试通过 AWS CLI 授予具有 REST API 令牌权限的 IAM 用户在特定弹性 beanstalk 应用程序上描述环境健康状况。
问题
当我使用 CLI 命令运行时:
aws elasticbeanstalk describe-environment-health --environment-name my-env-name --attribute-names "Status" "Color" "Causes" "InstancesHealth" "HealthStatus" "RefreshedAt" --profile my-profile
我收到错误:调用 DescribeEnvironmentHealth 操作时出现客户端错误 (AccessDenied):用户:arn:aws:iam::myaccountid:user/myuser 无权执行:elasticbeanstalk:DescribeEnvironmentHealth
使用--debug 标志我可以看到HTTP 403 响应。
额外细节
IAM 策略对资源执行"elasticbeanstalk:DescribeEnvironmentHealth" 操作:
"arn:aws:elasticbeanstalk:eu-west-1:myaccountid:environment/my-app-name/my-env-name*"
DescribeEnvironments。
我已在选择用户时使用 IAM 模拟器验证了特定资源 ARN 与此策略,并且它表示已授予访问权限。
CLI 的版本是aws-cli/1.10.6 Python/2.7.11 Darwin/15.3.0 botocore/1.3.28
作为测试,我暂时放宽了政策,设置了elasticbeanstalk:* 操作,但还是不行。
问题
-
如何进一步调试此问题?
为什么 IAM 策略模拟器说策略确实授予访问权限,但通过 CLI 拒绝访问?
完整政策
"Version": "2012-10-17",
"Statement": [
"Sid": "Stmt1455880772092",
"Action": [
"ec2:*",
"s3:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"rds:*",
"cloudformation:*",
"elasticbeanstalk:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:eu-west-1:accountId:application/app-name",
"arn:aws:elasticbeanstalk:eu-west-1:accountId:applicationversion/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:accountId:applicationversion/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:accountId:environment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:accountId:environment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1::solutionstack/*",
"arn:aws:s3:::elasticbeanstalk-eu-west-1-accountId*"
]
,
"Sid": "Stmt1455891876139",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:Get*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elasticbeanstalk-eu-west-1-bucketId*"
]
【问题讨论】:
请附上政策 @mickzer 政策已添加到详细信息中。它目前比我想要的要宽松得多 - 但即使这样,用户也无法描述环境健康状况......但随后可以创建新版本,描述环境,甚至开始部署新版本......只是不描述健康。 你能解决这个问题吗?我现在正面临这个问题。其他权限,包括 UpdateEnvironment 和 TerminateEnvironment,工作正常。 【参考方案1】:出于某种原因,elasticbeanstalk:DescribeEnvironmentHealth 只为我使用 "Resource": "*"。
所以我分离了写/读权限,只允许"Resource": "*" 用于读取。这是我的完整政策:
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:UpdateEnvironment"
],
"Resource": [
"arn:aws:elasticbeanstalk:eu-central-1:[account-id]:application/[application-name]",
"arn:aws:elasticbeanstalk:*:*:environment/*/*",
"arn:aws:elasticbeanstalk:*:*:applicationversion/*/*"
]
,
"Effect": "Allow",
"Action": [
"elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:ListPlatformVersions",
"elasticbeanstalk:DescribeEnvironmentManagedActions",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:RetrieveEnvironmentInfo"
],
"Resource": "*"
]
【讨论】:
以上是关于AWS IAM 策略 elasticbeanstalk:DescribeEnvironmentHealth的主要内容,如果未能解决你的问题,请参考以下文章
Cloudformation 的最低权限 AWS IAM 策略