I have an IAM policy setup that I thought provided the right permissions to deploy a new version to an Elastic Beanstalk application. I'm still getting InsufficientPrivilegesException, specifically:
aws elasticbeanstalk update-environment --environment-name LearnTfsBff --version-label LearnTfsBff-30
An error occurred (InsufficientPrivilegesException) when calling the UpdateEnvironment operation: Access Denied
This is the policy set for the deployment user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:*",
"cloudformation:GetTemplate",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"autoscaling:*",
"cloudfront:CreateInvalidation",
"ec2:describeVpcs",
"ec2:DescribeImages",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:UpdateEnvironment",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"s3:ListAllMyBuckets",
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::learn-tfs-builds"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::learn-tfs-*"
}
]
}
I tried adding "elasticbeanstalk:*" as an allowed action and that did not resolve the privileges issue. I added "*" as allowed and that does resolve it, but is not a allowable solution.
How can I debug what specific permissions are needed within AWS?
Thanks,
Sam
Best Answer
From this guide it looks like you might need S3 access for the elastic beanstalk bucket as well, IE: