All geek questions in one place

AWS IAM Political Elasticity: DescribeEnvironmentHealth

What i want to achieve

I am trying to give the IAM user permission of a REST API token to describe the state of the environment on a particular elastic bean stack application through the AWS CLI.

Problem

When I run the CLI command:

aws elasticbeanstalk describe-environment-health --environment-name my-env-name --attribute-names "Status" "Color" "Causes" "InstancesHealth" "HealthStatus" "RefreshedAt" --profile my-profile

I get an error: When calling the DescribeEnvironmentHealth operation, a client error (AccessDenied) occurred: User: arn: aws: iam :: myaccountid: user / myuser does not have the right to execute: elasticbeanstalk: DescribeEnvironmentHealth

with flag --debugI see the answer HTTP 403.

additional information

IAM policy has an action "elasticbeanstalk:DescribeEnvironmentHealth"on a resource: "arn:aws:elasticbeanstalk:eu-west-1:myaccountid:environment/my-app-name/my-env-name*"

  • I double checked the account name, application name and env.
  • , DescribeEnvironments, .
  • ARN , IAM , , .
  • CLI aws-cli/1.10.6 Python/2.7.11 Darwin/15.3.0 botocore/1.3.28
  • , elasticbeanstalk:*, .

  • ?
  • IAM , , CLI?

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1455880772092",
            "Action": [
                "ec2:*",
                "s3:*",
                "elasticloadbalancing:*",
                "autoscaling:*",
                "cloudwatch:*",
                "s3:*",
                "sns:*",
                "rds:*",
                "cloudformation:*",
                "elasticbeanstalk:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:application/app-name",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
                "arn:aws:elasticbeanstalk:eu-west-1::solutionstack/*",
                "arn:aws:s3:::elasticbeanstalk-eu-west-1-{accountId}*"
            ]
        },
        {
            "Sid": "Stmt1455891876139",
            "Action": [
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:ListBucket",
                "s3:CreateBucket",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:Get*"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::elasticbeanstalk-eu-west-1-{bucketId}*"
        }
    ]
}
+4
1

- elasticbeanstalk:DescribeEnvironmentHealth "Resource": "*".

, /, "Resource": "*" . :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:CreateApplicationVersion",
                "elasticbeanstalk:UpdateEnvironment"
            ],
            "Resource": [
                "arn:aws:elasticbeanstalk:eu-central-1:[account-id]:application/[application-name]",
                "arn:aws:elasticbeanstalk:*:*:environment/*/*",
                "arn:aws:elasticbeanstalk:*:*:applicationversion/*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
                "elasticbeanstalk:DescribeEnvironmentResources",
                "elasticbeanstalk:DescribeEnvironments",
                "elasticbeanstalk:DescribeApplicationVersions",
                "elasticbeanstalk:ListPlatformVersions",
                "elasticbeanstalk:DescribeEnvironmentManagedActions",
                "elasticbeanstalk:ValidateConfigurationSettings",
                "elasticbeanstalk:CheckDNSAvailability",
                "elasticbeanstalk:RequestEnvironmentInfo",
                "elasticbeanstalk:DescribeInstancesHealth",
                "elasticbeanstalk:DescribeEnvironmentHealth",
                "elasticbeanstalk:DescribeConfigurationSettings",
                "elasticbeanstalk:DescribeConfigurationOptions",
                "elasticbeanstalk:RetrieveEnvironmentInfo"
            ],
            "Resource": "*"
        }
    ]
}
0

Source: https://habr.com/ru/post/1630068/

More articles:


All Articles