IAM permissions for Elastic Beanstalk

13 Oct 2013   aws

I’m currently freelancing for What'sMySize developing their SaaS product for fashion retailers. It’s a Rails 4 app that we’re going to host on Amazon Web Service’s Elastic Beanstalk platform.

Elastic Beanstalk is AWS’s PaaS offering that wraps their infrastructure services such as EC2 and RDS and adds features like deployment from git and auto scaling. Deploying the app to Elastic Beanstalk mainly went OK but I hit some nasty permissions issues.

We’re using the AWS IAM service (Identity and Access Management). IAM lets you create groups and users with fine-grained permissions. This is more secure than using the AWS account since it has full access and is linked to the account’s billing details.

We’re just a two-person team at the moment so I wanted to keep it simple. I created an Admin group using the Power User template. This gives Admin access to all services except IAM. This is when the problems started as Elastic Beanstalk uses many AWS services including IAM.

The only way to find out the set of required IAM permissions was to go through each permissions error in the Elastic Beanstalk CLI and web console. I then created a custom IAM policy using AWS’s rather cryptic policy DSL.

This was a bit painful so it would be great if IAM had a standard policy for this. But until then here is mine. To use this policy you just need to replace 123456789012 with your AWS account number.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "iam:ListInstanceProfiles"
      ],
      "Sid": "Stmt1381157441000",
      "Resource": [
        "arn:aws:iam::123456789012:instance-profile/"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "iam:CreateRole"
      ],
      "Sid": "Stmt1381157476000",
      "Resource": [
        "arn:aws:iam::123456789012:role/aws-elasticbeanstalk-ec2-role"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "iam:CreateInstanceProfile"
      ],
      "Sid": "Stmt1381157517000",
      "Resource": [
        "arn:aws:iam::123456789012:instance-profile/aws-elasticbeanstalk-ec2-role"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "iam:AddRoleToInstanceProfile"
      ],
      "Sid": "Stmt1381157545000",
      "Resource": [
        "arn:aws:iam::123456789012:instance-profile/aws-elasticbeanstalk-ec2-role"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "iam:CreateGroup"
      ],
      "Sid": "Stmt1381157568000",
      "Resource": [
        "arn:aws:iam::123456789012:group/AWSEBRDSDBSecurityGroup"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "iam:PassRole"
      ],
      "Sid": "Stmt1381158023000",
      "Resource": [
        "arn:aws:iam::123456789012:role/aws-elasticbeanstalk-ec2-role"
      ],
      "Effect": "Allow"
    }
  ]

comments powered by Disqus