AWS Elastic Beanstalk
开发人员指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 Amazon AWS 入门

控制对 Elastic Beanstalk 的访问

AWS Elastic Beanstalk 提供两种托管策略,可让您分配对所有 Elastic Beanstalk 资源的完全访问权或只读访问权。您可以将策略附加到 AWS Identity and Access Management (IAM) 用户或组。

托管用户策略

  • AWSElasticBeanstalkFullAccess – 允许用户创建、修改和删除 Elastic Beanstalk 应用程序、应用程序版本、配置设置、环境及其基础资源。

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticbeanstalk:*", "ec2:*", "ecs:*", "ecr:*", "elasticloadbalancing:*", "autoscaling:*", "cloudwatch:*", "s3:*", "sns:*", "cloudformation:*", "dynamodb:*", "rds:*", "sqs:*", "logs:*", "iam:GetPolicyVersion", "iam:GetRole", "iam:PassRole", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListRoles", "iam:ListServerCertificates", "acm:DescribeCertificate", "acm:ListCertificates", "codebuild:CreateProject", "codebuild:DeleteProject", "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:AddRoleToInstanceProfile", "iam:CreateInstanceProfile", "iam:CreateRole" ], "Resource": [ "arn:aws-cn:iam::*:role/aws-elasticbeanstalk*", "arn:aws-cn:iam::*:instance-profile/aws-elasticbeanstalk*" ] }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws-cn:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling*" ], "Condition": { "StringLike": { "iam:AWSServiceName": "autoscaling.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws-cn:iam::*:role/aws-service-role/elasticbeanstalk.amazonaws.com/AWSServiceRoleForElasticBeanstalk*" ], "Condition": { "StringLike": { "iam:AWSServiceName": "elasticbeanstalk.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy" ], "Resource": "*", "Condition": { "StringLike": { "iam:PolicyArn": [ "arn:aws-cn:iam::aws:policy/AWSElasticBeanstalk*", "arn:aws-cn:iam::aws:policy/service-role/AWSElasticBeanstalk*" ] } } } ] }
  • AWSElasticBeanstalkReadOnlyAccess – 允许用户查看应用程序和环境,但是不允许对它们执行任何操作。它提供对所有 Elastic Beanstalk 资源的只读访问权。请注意,只读访问不会启用下载 Elastic Beanstalk 日志等操作,以便您阅读它们。这是因为日志存放在 Amazon S3 存储桶中,Elastic Beanstalk 将需要写入权限。有关如何启用对 Elastic Beanstalk 日志的访问,请参阅本主题结尾的示例。

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticbeanstalk:Check*", "elasticbeanstalk:Describe*", "elasticbeanstalk:List*", "elasticbeanstalk:RequestEnvironmentInfo", "elasticbeanstalk:RetrieveEnvironmentInfo", "ec2:Describe*", "elasticloadbalancing:Describe*", "autoscaling:Describe*", "cloudwatch:Describe*", "cloudwatch:List*", "cloudwatch:Get*", "s3:Get*", "s3:List*", "sns:Get*", "sns:List*", "cloudformation:Describe*", "cloudformation:Get*", "cloudformation:List*", "cloudformation:Validate*", "cloudformation:Estimate*", "rds:Describe*", "sqs:Get*", "sqs:List*" ], "Resource": "*" } ] }

使用托管策略控制访问

您可以使用托管策略授予对 Elastic Beanstalk 的完全访问权限或只读访问权限。Elastic Beanstalk 在需要额外权限来访问新功能时自动更新这些策略。

将托管策略应用到 IAM 用户

  1. 在 IAM 控制台中打开用户

  2. 在导航窗格中,选择权限

  3. 选择 Attach Policy

  4. 键入 AWSElasticBeanstalk 以筛选策略。

  5. 选择 AWSElasticBeanstalkReadOnlyAccessAWSElasticBeanstalkFullAccess,然后选择附加策略

创建自定义用户策略

您可以创建自己的 IAM 策略,以允许或拒绝对特定 Elastic Beanstalk 资源执行特定 Elastic Beanstalk API 操作。有关将策略附加到用户或组的详细信息,请参阅使用 AWS Identity and Access Management 中的使用策略

注意

虽然您可以限制用户与 Elastic Beanstalk API 交互的方式,但当前没有有效的方式来阻止有权创建必需基础资源的用户在 Amazon EC2 和其他服务中创建其他资源。

将这些策略视为分发 Elastic Beanstalk 责任的有效方式,而不是视为保护所有基础资源的方式。

IAM 策略包含策略语句,这些语句描述了您要授予的权限。为 Elastic Beanstalk 创建策略语句时,您需要了解如何使用策略语句的以下四个部分:

  • 效果指定是允许还是拒绝该语句中的操作。

  • 操作指定您要控制的 API 操作。例如,使用 elasticbeanstalk:CreateEnvironment 指定 CreateEnvironment 操作。某些操作 (如创建环境) 需要额外的权限才能执行。有关更多信息,请参阅Elastic Beanstalk 操作的资源和条件

    注意

    要使用 UpdateTagsForResource API 操作,请指定以下两个虚拟操作之一(或两者),而不是 API 操作名称:

    elasticbeanstalk:AddTags

    控制调用 UpdateTagsForResource 和传递要在 TagsToAdd 参数中添加的标签列表的权限。

    elasticbeanstalk:RemoveTags

    控制调用 UpdateTagsForResource 和传递要在 TagsToRemove 参数中删除的标签键列表的权限。

  • 资源指定您要控制访问权限的资源。要指定 Elastic Beanstalk 资源,请列出各个资源的 Amazon 资源名称 (ARN)。

  • (可选)条件指定对语句中授予的权限的限制。有关更多信息,请参阅 Elastic Beanstalk 操作的资源和条件

以下部分说明了几种可能需要考虑自定义用户策略的情况。

启用有限的 Elastic Beanstalk 环境创建

以下示例中的策略可让用户调用 CreateEnvironment 操作,从而使用指定应用程序和应用程序版本创建名称以 Test 开头的环境。

{ "Version": "2012-10-17", "Statement": [ { "Sid":"CreateEnvironmentPerm", "Action": [ "elasticbeanstalk:CreateEnvironment" ], "Effect": "Allow", "Resource": [ "arn:aws-cn:elasticbeanstalk:us-west-2:123456789012:environment/My First Elastic Beanstalk Application/Test*" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws-cn:elasticbeanstalk:us-west-2:123456789012:application/My First Elastic Beanstalk Application"], "elasticbeanstalk:FromApplicationVersion": ["arn:aws-cn:elasticbeanstalk:us-west-2:123456789012:applicationversion/My First Elastic Beanstalk Application/First Release"] } } }, { "Sid":"AllNonResourceCalls", "Action":[ "elasticbeanstalk:CheckDNSAvailability", "elasticbeanstalk:CreateStorageLocation" ], "Effect":"Allow", "Resource":[ "*" ] } ] }

以上策略显示如何授予对 Elastic Beanstalk 操作的有限访问权限。为了实际启动环境,用户还必须具有创建支持环境的 AWS 资源的权限。例如,以下策略授予对 Web 服务器环境的默认资源集的访问权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:*", "ecs:*", "elasticloadbalancing:*", "autoscaling:*", "cloudwatch:*", "s3:*", "sns:*", "cloudformation:*", "sqs:*" ], "Resource": "*" } ] }

启用对存储在 Amazon S3 中的 Elastic Beanstalk 日志的访问

以下示例中的策略可让用户查看和提取存储在 Amazon S3 中的 Elastic Beanstalk 日志。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:DeleteObject", "s3:GetObjectAcl", "s3:PutObjectAcl" ], "Effect": "Allow", "Resource": "arn:aws-cn:s3:::elasticbeanstalk-*" } ] }

注意

要将这些权限限制为仅日志路径,请使用以下资源格式。

"arn:aws-cn:s3:::elasticbeanstalk-us-west-2-123456789012/resources/environments/logs/*"

启用特定 Elastic Beanstalk 应用程序的管理

以下示例中的策略可让用户管理一个特定的 Elastic Beanstalk 应用程序中的环境和其他资源。此策略拒绝 Elastic Beanstalk 操作其他应用程序的资源,并拒绝创建和删除 Elastic Beanstalk 应用程序。

注意

该策略不拒绝通过其他服务来访问任何资源。它展示的是在各个用户之间分发 Elastic Beanstalk 应用程序的管理责任的有效方式,而不是保护基础资源的方式。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "elasticbeanstalk:CreateApplication", "elasticbeanstalk:DeleteApplication" ], "Resource": [ "*" ] }, { "Effect": "Deny", "Action": [ "elasticbeanstalk:CreateApplicationVersion", "elasticbeanstalk:CreateConfigurationTemplate", "elasticbeanstalk:CreateEnvironment", "elasticbeanstalk:DeleteApplicationVersion", "elasticbeanstalk:DeleteConfigurationTemplate", "elasticbeanstalk:DeleteEnvironmentConfiguration", "elasticbeanstalk:DescribeApplicationVersions", "elasticbeanstalk:DescribeConfigurationOptions", "elasticbeanstalk:DescribeConfigurationSettings", "elasticbeanstalk:DescribeEnvironmentResources", "elasticbeanstalk:DescribeEnvironments", "elasticbeanstalk:DescribeEvents", "elasticbeanstalk:DeleteEnvironmentConfiguration", "elasticbeanstalk:RebuildEnvironment", "elasticbeanstalk:RequestEnvironmentInfo", "elasticbeanstalk:RestartAppServer", "elasticbeanstalk:RetrieveEnvironmentInfo", "elasticbeanstalk:SwapEnvironmentCNAMEs", "elasticbeanstalk:TerminateEnvironment", "elasticbeanstalk:UpdateApplicationVersion", "elasticbeanstalk:UpdateConfigurationTemplate", "elasticbeanstalk:UpdateEnvironment", "elasticbeanstalk:RetrieveEnvironmentInfo", "elasticbeanstalk:ValidateConfigurationSettings" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "elasticbeanstalk:InApplication": [ "arn:aws-cn:elasticbeanstalk:us-west-2:123456789012:application/myapplication" ] } } } ] }