Amazon web services 更新和部署弹性Beanstalk应用程序所需的最低策略是什么?
我想从我的持续部署系统(Codeship)在Elastic Beanstalk上更新和部署一个新版本,但也想锁定部署用户拥有的权限Amazon web services 更新和部署弹性Beanstalk应用程序所需的最低策略是什么?,amazon-web-services,amazon-elastic-beanstalk,aws-cli,Amazon Web Services,Amazon Elastic Beanstalk,Aws Cli,我想从我的持续部署系统(Codeship)在Elastic Beanstalk上更新和部署一个新版本,但也想锁定部署用户拥有的权限 如果需要权限,最小设置是多少?此IAM策略提供执行“上载和部署”功能所需的所有权限: 对于新的应用程序版本 在指定的弹性豆茎环境中 替换以下内容: 将$REGION替换为特定区域,例如:us-east-1 将$ACCOUNT替换为帐号(不带破折号),例如:123456789012 将$APPLICATION替换为特定的应用程序,例如:My Beanstalk应
如果需要权限,最小设置是多少?此IAM策略提供执行“上载和部署”功能所需的所有权限:
- 对于新的应用程序版本
- 在指定的弹性豆茎环境中
- 将$REGION替换为特定区域,例如:us-east-1
- 将$ACCOUNT替换为帐号(不带破折号),例如:123456789012
- 将$APPLICATION替换为特定的应用程序,例如:My Beanstalk应用程序
- 将$ENVIRONMENT替换为特定环境,例如:My Beanstalk环境
我开始问自己同样的问题。我正在从bitbucket管道向Beanstalk部署一个停靠的应用程序。我在这里检查了一下,但是政策中似乎包含了许多不必要的行动和资源。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAutoscalingSuspendAndResumeProcesses",
"Action": [
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Sid": "AllowElasticBeanstalkValidateConfigurationSettings",
"Action": [
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:environment/$APPLICATION/$ENVIRONMENT"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:application/$APPLICATION"
]
}
}
},
{
"Sid": "AllowS3PutAndDeleteObjectInProperBucket",
"Action": [
"s3:Put*",
"s3:Delete*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-$REGION-$ACCOUNT/*"
]
},
{
"Sid": "AllowElasticBeanstalkCreateStorageLocation",
"Action": [
"elasticbeanstalk:CreateStorageLocation"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "AllowElasticBeanstalkCreateApplicationVersion",
"Action": [
"elasticbeanstalk:CreateApplicationVersion"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:applicationversion/$APPLICATION/*"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:application/$APPLICATION"
]
}
}
},
{
"Sid": "AllowElasticBeanstalkUpdateEnvironment",
"Action": [
"elasticbeanstalk:UpdateEnvironment"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:environment/$APPLICATION/$ENVIRONMENT"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:application/$APPLICATION"
]
},
"StringLike": {
"elasticbeanstalk:FromApplicationVersion": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:applicationversion/$APPLICATION/*"
]
}
}
},
{
"Sid": "AllowElasticBeanstalkReadOnlyAccess",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"sqs:Get*",
"sqs:List*"
],
"Resource": "*"
}
]
}