I am trying to grant IAM users with REST API token permissions through the AWS CLI so that they can be used in a specific elastic beanstalk application The environment health status is described above.
Problems
When I use the CLI command to run:
aws elasticbeanstalk describe-environment-health –environment-name my-env -name –attribute-names “Status” “Color” “cause” “InstancesHealth” “HealthStatus” “RefreshedAt” –profile my-profile
I received an error: A client error occurred when calling the DescribeEnvironmentHealth operation ( AccessDenied): User: arn: aws: iam :: myaccountid: User/myuser is not authorized to execute: elasticbeanstalk: DescribeEnvironmentHealth
Using the –debug flag I can see the HTTP 403 response.
Additional details
The IAM policy has an “elasticbeanstalk: DescribeEnvironmentHealth” operation on the resource:
“Aln: AWS: elasticbeanstalk: EU-West 1: myaccountid: environment/i-APP-name/i- ENV name*”
>I have double-checked the account ID, app and env name.
>When I add this action, I can perform other actions, such as DescribeEnvironments.
>I This policy was verified on the specific resource ARN using the IAM simulator when selecting the user, and it indicated that access was granted. The version of the CLI is aws-cli / 1.10.6 Python / 2.7.11 Darwin / 15.3.0 botocore / 1.3.28
>As a test, I temporarily relaxed the strategy of using actionbeanstalk: *, but it still doesn’t work.
Question
>How to go further Debug this problem?
>Why does the IAM policy simulator say that the policy does grant access but the CLI denies access?
Complete policy
{
"Version": "2012-10-17",
"Statement": [< br /> {
"Sid": "Stmt1455880772092",
"Action": [
"ec2:*",
"s3:*",
" elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
" rds:*",
"cloudformation:*",
"elasticbeanstalk:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:application/app-name",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}: applicationversion/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
" arn:aws:elasticbeanstalk:eu-west-1:{accountId} :environment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1::solutionstack/*",
"arn:aws:s3:::elasticbeanstalk-eu-west-1-{accountId}*"
]
},
{
"Sid": "Stmt1455891876139",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion ",
"s3:ListBucket",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:Get *"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elasticbeanstalk-eu-west-1-{bucketId}*"
}
]
}
So I separated the write/read permissions, allowing “resources”: “*” is only for reading. This is my complete policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [< br /> "elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:UpdateEnvironment"
],
"Resource": [
"arn:aws:elasticbeanstalk:eu-central-1: [account-id]:application/[application-name]",
"arn:aws:elasticbeanstalk:*:*:environment/*/*",
"arn:aws:elasticbeanstalk:*: *:applicationversion/*/*"
]
},
{
"Effect": "Allow",
"Action": [
" elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:Describe ApplicationVersions",
"elasticbeanstalk:ListPlatformVersions",
"elasticbeanstalk:DescribeEnvironmentManagedActions",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk: RequestEnvironmentInfo",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk: RetrieveEnvironmentInfo"
],
"Resource": "*"
}
]
}
Me What I want to achieve
I am trying to grant IAM users with REST API token permissions through AWS CLI to describe environmental health on a specific elastic beanstalk application.
Question
When I run with CLI command:
aws elasticbeanstalk describe-environment-health –environment-name my-env-name –Attribute-names “Status” “Color” “cause” “InstancesHealth” “HealthStatus” “RefreshedAt” –profile my-profile
I received an error: A client error (AccessDenied) occurred when calling the DescribeEnvironmentHealth operation : User: arn: aws: iam :: myaccountid: user/myuser is not authorized to execute: elasticbeanstalk: DescribeEnvironmentHealth
Using the –debug flag I can see the HTTP 403 response.
Additional details
The IAM policy has an “elasticbeanstalk: DescribeEnvironmentHealth” operation on the resource:
“Aln: AWS: elasticbeanstalk: EU-West 1: myaccountid: environment/me-APP-name/me-ENV name *”
>I have carefully checked the account ID, app and env name.
>When I add this action, I can perform other actions, such as DescribeEnvironments.
>I am selecting The user used the IAM simulator to verify this policy on the specific resource ARN, and said that access was granted. The version of CLI is aws-cli / 1.10.6 Python / 2.7.11 Darwin / 15.3.0 botocore / 1.3.28
>As a test, I temporarily relax the strategy of using actionbeanstalk:*, but it still doesn’t work.
Problem
>How to debug this further problem?
>Why does the IAM policy simulator say that the policy does grant access but the CLI denies access?
Complete policy
{
"Version": "2012-10-17",
"Statement": [< br /> {
"Sid": "Stmt1455880772092",
"Action": [
"ec2:*",
"s3:*",
" elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
" rds:*",
"cloudformation:*",
"elasticbeanstalk:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:application/app-name",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}: applicationversion/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
" arn:aws:elasticbeanstalk:eu-west-1:{accountId}:en vironment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
" arn:aws:elasticbeanstalk:eu-west-1::solutionstack/*",
"arn:aws:s3:::elasticbeanstalk-eu-west-1-{accountId}*"
]< br /> },
{
"Sid": "Stmt1455891876139",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion" ,
"s3:ListBucket",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:Get* "
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elasticbeanstalk-eu-west-1-{bucketId}*"< br /> }
]
}
For some reason, elasticbeanstalk: DescribeEnvironmentHealth only uses “resources” for me: ” *”.
So I separated the write/read permissions, allowing “resources”: “*” is only for reading. This is my complete policy:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
” Action”: [
“elasticbeanstalk:CreateApplicationVersion”,
“elasticbeanstalk:UpdateEnvironment”
],
“Resource”: [
“arn:aws:elasticbeanstalk:eu -central-1:[account-id]:application/[application-name]”,
“arn:aws:elasticbeanstalk:*:*:environment/*/*”,
“arn:aws :elasticbeanstalk:*:*:applicationversion/*/*”
]
},
{
“Effect”: “Allow”,
“Action”: [
“elasticbeanstalk:DescribeEnvironmentManagedActionHistory”,
“elasticbeanstalk:DescribeEnvironmentResources”,
“elasticbeanstalk:DescribeEnvironments”,
“elasticbeanstalk:DescribeApplicationVersions”,
“elasticbeanst alk:ListPlatformVersions”,
“elasticbeanstalk:DescribeEnvironmentManagedActions”,
“elasticbeanstalk:ValidateConfigurationSettings”,
“elasticbeanstalk:CheckDNSAvailability”,
“elasticbeanstalk:RequestEnvironmentInfo”,
” elasticbeanstalk:DescribeInstancesHealth”,
“elasticbeanstalk:DescribeEnvironmentHealth”,
“elasticbeanstalk:DescribeConfigurationSettings”,
“elasticbeanstalk:DescribeConfigurationOptions”,
“elasticbeanstalk:RetrieveEnvironmentInfo”
],
“Resource”: “*”
}
]
}