amazon-web-services – AWS IAM Policy elasticbeanstalk:DescribeEnvironmentHealth

What I want to achieve

I am trying to grant IAM users with REST API token permissions through the AWS CLI so that they can be used in a specific elastic beanstalk application The environment health status is described above.

Problems

When I use the CLI command to run:

aws elasticbeanstalk describe-environment-health –environment-name my-env -name –attribute-names “Status” “Color” “cause” “InstancesHealth” “HealthStatus” “RefreshedAt” –profile my-profile

I received an error: A client error occurred when calling the DescribeEnvironmentHealth operation ( AccessDenied): User: arn: aws: iam :: myaccountid: User/myuser is not authorized to execute: elasticbeanstalk: DescribeEnvironmentHealth

Using the –debug flag I can see the HTTP 403 response.

Additional details

The IAM policy has an “elasticbeanstalk: DescribeEnvironmentHealth” operation on the resource:
“Aln: AWS: elasticbeanstalk: EU-West 1: myaccountid: environment/i-APP-name/i- ENV name*”

>I have double-checked the account ID, app and env name.
>When I add this action, I can perform other actions, such as DescribeEnvironments.
>I This policy was verified on the specific resource ARN using the IAM simulator when selecting the user, and it indicated that access was granted. The version of the CLI is aws-cli / 1.10.6 Python / 2.7.11 Darwin / 15.3.0 botocore / 1.3.28
>As a test, I temporarily relaxed the strategy of using actionbeanstalk: *, but it still doesn’t work.

Question

>How to go further Debug this problem?
>Why does the IAM policy simulator say that the policy does grant access but the CLI denies access?

Complete policy

{
"Version": "2012-10-17",
"Statement": [< br /> {
"Sid": "Stmt1455880772092",
"Action": [
"ec2:*",
"s3:*",
" elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
" rds:*",
"cloudformation:*",
"elasticbeanstalk:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:application/app-name",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}: applicationversion/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
" arn:aws:elasticbeanstalk:eu-west-1:{accountId} :environment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1::solutionstack/*",
"arn:aws:s3:::elasticbeanstalk-eu-west-1-{accountId}*"
]
},
{
"Sid": "Stmt1455891876139",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion ",
"s3:ListBucket",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:Get *"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elasticbeanstalk-eu-west-1-{bucketId}*"
}
]
}

for some reason , elasticbeanstalk: DescribeEnvironmentHealth only uses “resources” for me: “*”.

So I separated the write/read permissions, allowing “resources”: “*” is only for reading. This is my complete policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [< br /> "elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:UpdateEnvironment"
],
"Resource": [
"arn:aws:elasticbeanstalk:eu-central-1: [account-id]:application/[application-name]",
"arn:aws:elasticbeanstalk:*:*:environment/*/*",
"arn:aws:elasticbeanstalk:*: *:applicationversion/*/*"
]
},
{
"Effect": "Allow",
"Action": [
" elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:Describe ApplicationVersions",
"elasticbeanstalk:ListPlatformVersions",
"elasticbeanstalk:DescribeEnvironmentManagedActions",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk: RequestEnvironmentInfo",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk: RetrieveEnvironmentInfo"
],
"Resource": "*"
}
]
}

Me What I want to achieve

I am trying to grant IAM users with REST API token permissions through AWS CLI to describe environmental health on a specific elastic beanstalk application.

Question

When I run with CLI command:

aws elasticbeanstalk describe-environment-health –environment-name my-env-name –Attribute-names “Status” “Color” “cause” “InstancesHealth” “HealthStatus” “RefreshedAt” –profile my-profile

I received an error: A client error (AccessDenied) occurred when calling the DescribeEnvironmentHealth operation : User: arn: aws: iam :: myaccountid: user/myuser is not authorized to execute: elasticbeanstalk: DescribeEnvironmentHealth

Using the –debug flag I can see the HTTP 403 response.

Additional details

The IAM policy has an “elasticbeanstalk: DescribeEnvironmentHealth” operation on the resource:
“Aln: AWS: elasticbeanstalk: EU-West 1: myaccountid: environment/me-APP-name/me-ENV name *”

>I have carefully checked the account ID, app and env name.
>When I add this action, I can perform other actions, such as DescribeEnvironments.
>I am selecting The user used the IAM simulator to verify this policy on the specific resource ARN, and said that access was granted. The version of CLI is aws-cli / 1.10.6 Python / 2.7.11 Darwin / 15.3.0 botocore / 1.3.28
>As a test, I temporarily relax the strategy of using actionbeanstalk:*, but it still doesn’t work.

Problem

>How to debug this further problem?
>Why does the IAM policy simulator say that the policy does grant access but the CLI denies access?

Complete policy

{
"Version": "2012-10-17",
"Statement": [< br /> {
"Sid": "Stmt1455880772092",
"Action": [
"ec2:*",
"s3:*",
" elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
" rds:*",
"cloudformation:*",
"elasticbeanstalk:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:application/app-name",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}: applicationversion/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
" arn:aws:elasticbeanstalk:eu-west-1:{accountId}:en vironment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
" arn:aws:elasticbeanstalk:eu-west-1::solutionstack/*",
"arn:aws:s3:::elasticbeanstalk-eu-west-1-{accountId}*"
]< br /> },
{
"Sid": "Stmt1455891876139",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion" ,
"s3:ListBucket",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:Get* "
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elasticbeanstalk-eu-west-1-{bucketId}*"< br /> }
]
}

For some reason, elasticbeanstalk: DescribeEnvironmentHealth only uses “resources” for me: ” *”.

So I separated the write/read permissions, allowing “resources”: “*” is only for reading. This is my complete policy:

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
” Action”: [
“elasticbeanstalk:CreateApplicationVersion”,
“elasticbeanstalk:UpdateEnvironment”
],
“Resource”: [
“arn:aws:elasticbeanstalk:eu -central-1:[account-id]:application/[application-name]”,
“arn:aws:elasticbeanstalk:*:*:environment/*/*”,
“arn:aws :elasticbeanstalk:*:*:applicationversion/*/*”
]
},
{
“Effect”: “Allow”,
“Action”: [
“elasticbeanstalk:DescribeEnvironmentManagedActionHistory”,
“elasticbeanstalk:DescribeEnvironmentResources”,
“elasticbeanstalk:DescribeEnvironments”,
“elasticbeanstalk:DescribeApplicationVersions”,
“elasticbeanst alk:ListPlatformVersions”,
“elasticbeanstalk:DescribeEnvironmentManagedActions”,
“elasticbeanstalk:ValidateConfigurationSettings”,
“elasticbeanstalk:CheckDNSAvailability”,
“elasticbeanstalk:RequestEnvironmentInfo”,
” elasticbeanstalk:DescribeInstancesHealth”,
“elasticbeanstalk:DescribeEnvironmentHealth”,
“elasticbeanstalk:DescribeConfigurationSettings”,
“elasticbeanstalk:DescribeConfigurationOptions”,
“elasticbeanstalk:RetrieveEnvironmentInfo”
],
“Resource”: “*”
}
]
}

WordPress database error: [Table 'yf99682.wp_s6mz6tyggq_comments' doesn't exist]
SELECT SQL_CALC_FOUND_ROWS wp_s6mz6tyggq_comments.comment_ID FROM wp_s6mz6tyggq_comments WHERE ( comment_approved = '1' ) AND comment_post_ID = 1875 ORDER BY wp_s6mz6tyggq_comments.comment_date_gmt ASC, wp_s6mz6tyggq_comments.comment_ID ASC

Leave a Comment

Your email address will not be published.