我無法弄清楚如何讓我公司的其他人部署到使用AWS Elastic Beanstalk的(測試)服務器。Elastic Beanstalk:允許用戶部署
本頁面顯示在ELB全球唯一權限控制:http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.managed-policies.html
我無法弄清楚如何讓我公司的其他人部署到使用AWS Elastic Beanstalk的(測試)服務器。Elastic Beanstalk:允許用戶部署
本頁面顯示在ELB全球唯一權限控制:http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.managed-policies.html
題爲Using IAM to secure Elastic Beanstalk Applications on AWS的里斯·戈弗雷博客文章有一些很好的指導。
我們有一個Elastic Beanstalk應用程序和一組用戶。這個 用戶組應該能夠監視和部署到僅彈出豆杆環境的 ,以及重新啓動或終止 應用程序實例。他們不應該能夠更改應用程序或環境配置,或者刪除環境。 用戶不應該能夠影響其他應用程序或AWS 服務,但他們可以看到其他區域的詳細信息。 我們假設用戶將使用AWS控制檯。
我已將此IAM政策轉貼以供參考。
他的方法的好處在於,它通過引用實例EG Environment=testing
上的EC2標記來考慮應用程序環境,在您的用例中需要該實例。
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"ElasticBeanstalkEnvironmentPermissions",
"Effect":"Allow",
"Action":[
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:RestartAppServer",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:SwapEnvironmentCNAMEs",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:RequestEnvironmentInfo"
],
"Resource":[
"arn:aws:elasticbeanstalk:eu-west-1:123xxxxxxxxx:environment/ApplicationName/*"
]
},
{
"Sid":"ElasticBeanstalkGlobalPermissions",
"Effect":"Allow",
"Action":[
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:ListAvailableSolutionStacks",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:CreateStorageLocation"
],
"Resource":[
"*"
]
},
{
"Sid":"ElasticBeanstalkApplicationVersionPermissions",
"Effect":"Allow",
"Action":[
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:UpdateApplicationVersion"
],
"Resource":[
"arn:aws:elasticbeanstalk:eu-west-1:123xxxxxxxxx:applicationversion/ApplicationName/*"
]
},
{
"Sid":"ElasticBeanstalkApplicationPermissions",
"Effect":"Allow",
"Action":[
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:UpdateApplication"
],
"Resource":[
"arn:aws:elasticbeanstalk:eu-west-1:123xxxxxxxxx:application/ApplicationName"
]
},
{
"Sid":"Autoscaling",
"Effect":"Allow",
"Action":[
"autoscaling:SuspendProcesses",
"autoscaling:Describe*",
"autoscaling:ResumeProcesses"
],
"Resource":"*"
},
{
"Sid":"Cloudwatch",
"Effect":"Allow",
"Action":[
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource":"*"
},
{
"Sid":"Cloudformation",
"Effect":"Allow",
"Action":[
"cloudformation:GetTemplate",
"cloudformation:Describe*"
],
"Resource":"*"
},
{
"Sid":"IAM",
"Effect":"Allow",
"Action":[
"iam:ListServerCertificates",
"iam:ListInstanceProfiles"
],
"Resource":"*"
},
{
"Sid":"S3ElasticBeanstalkBucket",
"Action":[
"s3:AbortMultipartUpload",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTorrent",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:ListBucket",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect":"Allow",
"Resource":[
"arn:aws:s3:::elasticbeanstalk-eu-west-1-123xxxxxxxxx",
"arn:aws:s3:::elasticbeanstalk-eu-west-1-123xxxxxxxxx/*"
]
},
{
"Sid":"S3Global",
"Effect":"Allow",
"Action":"s3:ListAllMyBuckets",
"Resource":"arn:aws:s3:::*"
},
{
"Sid":"S3ElasticBeanstalkShared",
"Effect":"Allow",
"Action":"s3:*",
"Resource":[
"arn:aws:s3:::elasticbeanstalk-env-resources-eu-west-1",
"arn:aws:s3:::elasticbeanstalk-env-resources-eu-west-1/*"
]
},
{
"Sid":"EC2Global",
"Effect":"Allow",
"Action":[
"ec2:Describe*"
],
"Resource":[
"*"
]
}
]
}
第二IAM政策處理EC2實例爲給定的環境:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"EC2EnvironmentInstances",
"Effect":"Allow",
"Action":[
"ec2:MonitorInstances",
"ec2:UnmonitorInstances",
"ec2:RebootInstances",
"ec2:StopInstances"
],
"Resource":[
"arn:aws:ec2:eu-west-1:123xxxxxxxxx:instance/*"
],
"Condition":{
"StringEquals":{
"ec2:ResourceTag/elasticbeanstalk:environment-name":"EnvironmentName"
}
}
}
]
}
你想將其限制於特定應用的豆莖? – Shibashis
是的,適用於特定的應用程序和特定的環境。找不到如何。 –
有人似乎已經在github上分享了它。 https://gist.github.com/magnetikonline/5034bdbb049181a96ac9 – Shibashis