Amazon web services AWS IAM政策弹性豆茎:描述环境健康 我想要达到的目标
我正试图通过AWS CLI向具有REST API令牌权限的IAM用户授予特定elastic beanstalk应用程序上的环境健康描述权限 问题 使用CLI命令运行时:Amazon web services AWS IAM政策弹性豆茎:描述环境健康 我想要达到的目标,amazon-web-services,amazon-elastic-beanstalk,amazon-iam,aws-cli,Amazon Web Services,Amazon Elastic Beanstalk,Amazon Iam,Aws Cli,我正试图通过AWS CLI向具有REST API令牌权限的IAM用户授予特定elastic beanstalk应用程序上的环境健康描述权限 问题 使用CLI命令运行时: aws elasticbeanstalk描述环境健康--环境名称我的环境名称--属性名称“状态”“颜色”“原因”“InstanceHealth”“健康状态”“RefreshedAt”--配置我的配置文件 我收到错误:调用DescribeenEnvironmentHealth操作时发生客户端错误(AccessDenied):用户
aws elasticbeanstalk描述环境健康--环境名称我的环境名称--属性名称“状态”“颜色”“原因”“InstanceHealth”“健康状态”“RefreshedAt”--配置我的配置文件
我收到错误:调用DescribeenEnvironmentHealth操作时发生客户端错误(AccessDenied):用户:arn:aws:iam::myaccountid:User/myuser无权执行:elasticbeanstalk:DescribeenEnvironmentHealth
使用--debug
标志,我可以看到htp403
响应
额外细节
IAM策略在资源上具有操作“elasticbeanstalk:DescribeenEnvironmentHealth”:
“arn:aws:elasticbeanstalk:eu-west-1:myaccountid:environment/my app name/my env name*”
- 我已经仔细检查了帐户id、应用程序和环境名称李>
- 当我添加此操作时,我可以很好地执行其他操作,例如
李>descripbeenvironments
- 我已经在选择用户时使用IAM模拟器在特定资源ARN上验证了此策略,并且它表示已授予访问权限
- CLI的版本是aws CLI/1.10.6 Python/2.7.11 Darwin/15.3.0 botocore/1.3.28
- 作为测试,我暂时放宽了策略,让操作
仍然不起作用elasticbeanstalk:
出于某种原因,
elasticbeanstalk:DescribeenEnvironment Health
仅在使用“资源”:“*”
时对我有效
所以我将写/读权限分开,只允许资源“*”
用于读。以下是我的全部政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:UpdateEnvironment"
],
"Resource": [
"arn:aws:elasticbeanstalk:eu-central-1:[account-id]:application/[application-name]",
"arn:aws:elasticbeanstalk:*:*:environment/*/*",
"arn:aws:elasticbeanstalk:*:*:applicationversion/*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:ListPlatformVersions",
"elasticbeanstalk:DescribeEnvironmentManagedActions",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:RetrieveEnvironmentInfo"
],
"Resource": "*"
}
]
}
请包括policy@mickzer详细信息中添加了策略。目前,它比我希望的要宽松得多——但即使这样,用户也无法描述环境健康状况。。。然后可以创建新版本,描述环境,甚至开始部署新版本。。。只是不描述健康。你能理解吗?我现在面临这个问题。其他权限,包括UpdateEnvironment和TerminateEnvironment,工作正常。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:UpdateEnvironment"
],
"Resource": [
"arn:aws:elasticbeanstalk:eu-central-1:[account-id]:application/[application-name]",
"arn:aws:elasticbeanstalk:*:*:environment/*/*",
"arn:aws:elasticbeanstalk:*:*:applicationversion/*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:ListPlatformVersions",
"elasticbeanstalk:DescribeEnvironmentManagedActions",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:RetrieveEnvironmentInfo"
],
"Resource": "*"
}
]
}