AWS IAM 策略 elasticbeanstalk:DescribeEnvironmentHealth

【问题标题】:AWS IAM Policy elasticbeanstalk:DescribeEnvironmentHealthAWS IAM 策略 elasticbeanstalk:DescribeEnvironmentHealth
【发布时间】:2016-06-05 08:47:46
【问题描述】:

我想要实现的目标

我正在尝试通过 AWS CLI 授予具有 REST API 令牌权限的 IAM 用户在特定弹性 beanstalk 应用程序上描述环境健康状况。

问题

当我使用 CLI 命令运行时:

aws elasticbeanstalk describe-environment-health --environment-name my-env-name --attribute-names "Status" "Color" "Causes" "InstancesHealth" "HealthStatus" "RefreshedAt" --profile my-profile

我收到错误:调用 DescribeEnvironmentHealth 操作时出现客户端错误 (AccessDenied):用户:arn:aws:iam::myaccountid:user/myuser 无权执行:elasticbeanstalk:DescribeEnvironmentHealth

使用--debug 标志我可以看到HTTP 403 响应。

额外细节

IAM 策略对资源执行"elasticbeanstalk:DescribeEnvironmentHealth" 操作: "arn:aws:elasticbeanstalk:eu-west-1:myaccountid:environment/my-app-name/my-env-name*"

  • 我已经仔细检查了帐户 ID、应用程序和环境名称。
  • 当我添加此操作时,我可以很好地执行其他操作,例如DescribeEnvironments
  • 我已在选择用户时使用 IAM 模拟器验证了特定资源 ARN 与此策略,并且它表示已授予访问权限
  • CLI 的版本是aws-cli/1.10.6 Python/2.7.11 Darwin/15.3.0 botocore/1.3.28
  • 作为测试,我暂时放宽了政策,设置了elasticbeanstalk:* 操作,但还是不行。

问题

  1. 如何进一步调试此问题?
  2. 为什么 IAM 策略模拟器说策略确实授予访问权限,但通过 CLI 拒绝访问?

完整政策

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1455880772092",
            "Action": [
                "ec2:*",
                "s3:*",
                "elasticloadbalancing:*",
                "autoscaling:*",
                "cloudwatch:*",
                "s3:*",
                "sns:*",
                "rds:*",
                "cloudformation:*",
                "elasticbeanstalk:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:application/app-name",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1::solutionstack/*",
                "arn:aws:s3:::elasticbeanstalk-eu-west-1-{accountId}*"
            ]
        },
        {
            "Sid": "Stmt1455891876139",
            "Action": [
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:ListBucket",
                "s3:CreateBucket",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:Get*"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::elasticbeanstalk-eu-west-1-{bucketId}*"
        }
    ]
}

【问题讨论】:

  • 请附上政策
  • @mickzer 政策已添加到详细信息中。它目前比我想要的要宽松得多 - 但即使这样,用户也无法描述环境健康状况......但随后可以创建新版本,描述环境,甚至开始部署新版本......只是不描述健康。
  • 你能解决这个问题吗?我现在正面临这个问题。其他权限,包括 UpdateEnvironment 和 TerminateEnvironment,工作正常。

标签: amazon-web-services amazon-elastic-beanstalk amazon-iam aws-cli


【解决方案1】:

出于某种原因,elasticbeanstalk:DescribeEnvironmentHealth 只为我使用 "Resource": "*"

所以我分离了写/读权限,只允许"Resource": "*" 用于读取。这是我的完整政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:CreateApplicationVersion",
                "elasticbeanstalk:UpdateEnvironment"
            ],
            "Resource": [
                "arn:aws:elasticbeanstalk:eu-central-1:[account-id]:application/[application-name]",
                "arn:aws:elasticbeanstalk:*:*:environment/*/*",
                "arn:aws:elasticbeanstalk:*:*:applicationversion/*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
                "elasticbeanstalk:DescribeEnvironmentResources",
                "elasticbeanstalk:DescribeEnvironments",
                "elasticbeanstalk:DescribeApplicationVersions",
                "elasticbeanstalk:ListPlatformVersions",
                "elasticbeanstalk:DescribeEnvironmentManagedActions",
                "elasticbeanstalk:ValidateConfigurationSettings",
                "elasticbeanstalk:CheckDNSAvailability",
                "elasticbeanstalk:RequestEnvironmentInfo",
                "elasticbeanstalk:DescribeInstancesHealth",
                "elasticbeanstalk:DescribeEnvironmentHealth",
                "elasticbeanstalk:DescribeConfigurationSettings",
                "elasticbeanstalk:DescribeConfigurationOptions",
                "elasticbeanstalk:RetrieveEnvironmentInfo"
            ],
            "Resource": "*"
        }
    ]
}

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 2020-12-26
    • 2019-04-18
    • 2021-09-29
    • 2018-05-08
    • 1970-01-01
    • 1970-01-01
    • 2014-05-02
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode