AWS IAM策略elasticbeanstalk:DescribeEnvironmentHealth

 

我想要达到的目标

我试图授予IAM用户REST API令牌权限,以通过AWS CLI在特定弹性Beanstalk应用程序上描述环境健康状况。

问题

当我使用CLI命令运行时:

aws elasticbeanstalk describe-environment-health --environment-name my-env-name --attribute-names "Status" "Color" "Causes" "InstancesHealth" "HealthStatus" "RefreshedAt" --profile my-profile

我收到错误: 调用DescribeEnvironmentHealth操作时发生客户端错误(AccessDenied):用户:arn:aws:iam :: myaccountid:用户/ myuser未被授权执行:elasticbeanstalk:DescribeEnvironmentHealth

--debug标志我可以看到一个HTTP 403响应。

额外的细节

IAM策略在资源上具有"elasticbeanstalk:DescribeEnvironmentHealth"动作: "arn:aws:elasticbeanstalk:eu-west-1:myaccountid:environment/my-app-name/my-env-name*"

  • 我有双重检查帐户ID,应用程序和env名称。
  • 当我添加此操作时,我可以执行其他操作,例如DescribeEnvironments
  • 在选择用户时,我使用IAM模拟器在此策略的特定资源ARN上进行了验证,并且表示授予访问权限
  • CLI的版本是aws-cli/1.10.6 Python/2.7.11 Darwin/15.3.0 botocore/1.3.28
  • 作为一项测试,我暂时放松政策,采取行动elasticbeanstalk:* ,但它仍然行不通。

    • 问题

  • 我怎样才能进一步调试这个问题?
  • 为什么IAM策略模拟器会说该策略会授予访问权限,但CLI的访问被拒绝?

    • 完整的政策 

        {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1455880772092",
            "Action": [
                "ec2:*",
                "s3:*",
                "elasticloadbalancing:*",
                "autoscaling:*",
                "cloudwatch:*",
                "s3:*",
                "sns:*",
                "rds:*",
                "cloudformation:*",
                "elasticbeanstalk:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:application/app-name",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1::solutionstack/*",
                "arn:aws:s3:::elasticbeanstalk-eu-west-1-{accountId}*"
            ]
        },
        {
            "Sid": "Stmt1455891876139",
            "Action": [
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:ListBucket",
                "s3:CreateBucket",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:Get*"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::elasticbeanstalk-eu-west-1-{bucketId}*"
        }
    ]
}

    出于某种原因elasticbeanstalk:DescribeEnvironmentHealth只为"Resource": "*"

    所以我分离了写入/读取权限,允许"Resource": "*"仅用于读取。 这是我的全部政策: 

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:CreateApplicationVersion",
                "elasticbeanstalk:UpdateEnvironment"
            ],
            "Resource": [
                "arn:aws:elasticbeanstalk:eu-central-1:[account-id]:application/[application-name]",
                "arn:aws:elasticbeanstalk:*:*:environment/*/*",
                "arn:aws:elasticbeanstalk:*:*:applicationversion/*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
                "elasticbeanstalk:DescribeEnvironmentResources",
                "elasticbeanstalk:DescribeEnvironments",
                "elasticbeanstalk:DescribeApplicationVersions",
                "elasticbeanstalk:ListPlatformVersions",
                "elasticbeanstalk:DescribeEnvironmentManagedActions",
                "elasticbeanstalk:ValidateConfigurationSettings",
                "elasticbeanstalk:CheckDNSAvailability",
                "elasticbeanstalk:RequestEnvironmentInfo",
                "elasticbeanstalk:DescribeInstancesHealth",
                "elasticbeanstalk:DescribeEnvironmentHealth",
                "elasticbeanstalk:DescribeConfigurationSettings",
                "elasticbeanstalk:DescribeConfigurationOptions",
                "elasticbeanstalk:RetrieveEnvironmentInfo"
            ],
            "Resource": "*"
        }
    ]
}
    链接地址: http://www.djcxy.com/p/20105.html

    上一篇: AWS IAM Policy elasticbeanstalk:DescribeEnvironmentHealth

    下一篇: ios