I have an IAM policy setup that I thought provided the right permissions to deploy a new version to an Elastic Beanstalk application. I'm still getting InsufficientPrivilegesException
, specifically:
aws elasticbeanstalk update-environment --environment-name LearnTfsBff --version-label LearnTfsBff-30
An error occurred (InsufficientPrivilegesException) when calling the UpdateEnvironment operation: Access Denied
This is the policy set for the deployment user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:*",
"cloudformation:GetTemplate",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"autoscaling:*",
"cloudfront:CreateInvalidation",
"ec2:describeVpcs",
"ec2:DescribeImages",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:UpdateEnvironment",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"s3:ListAllMyBuckets",
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::learn-tfs-builds"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::learn-tfs-*"
}
]
}
I tried adding "elasticbeanstalk:*"
as an allowed action and that did not resolve the privileges issue. I added "*"
as allowed and that does resolve it, but is not a allowable solution.
How can I debug what specific permissions are needed within AWS?
Thanks,
Sam