Elastic Beanstalk 操作的资源和条件 - AWS Elastic Beanstalk
Elastic Beanstalk 操作的策略信息Elastic Beanstalk 操作的条件键

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Elastic Beanstalk 操作的资源和条件

本部分描述了可在策略语句中用于授予权限的资源和条件,这些权限允许用户对特定的 Elastic Beanstalk 资源执行特定的 Elastic Beanstalk 操作。

条件可让您指定完成此操作所需的资源的权限。例如,当您调用 CreateEnvironment 操作时,还必须指定要部署的应用程序版本及包含此应用程序名称的应用程序。为 CreateEnvironment 操作设置权限时,应使用 InApplicationFromApplicationVersion 条件指定您要执行操作的应用程序和应用程序版本。

此外,还可以使用解决方案堆栈(FromSolutionStack)或配置模板(FromConfigurationTemplate)指定环境配置。以下策略语句允许 CreateEnvironment 操作,借助 myenv 配置(Resource)使用应用程序版本 My AppInApplication)在应用程序 My Version(由 FromApplicationVersion 条件指定)中创建名为 32bit Amazon Linux running Tomcat 7(由 FromSolutionStack 指定)的环境:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:CreateEnvironment"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"],
          "elasticbeanstalk:FromApplicationVersion": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/My Version"],
          "elasticbeanstalk:FromSolutionStack": ["arn:aws:elasticbeanstalk:us-east-2::solutionstack/32bit Amazon Linux running Tomcat 7"]
        }
      }
    }
  ]
}
注意

本主题中提及的大多数条件键特定于 Elastic Beanstalk,而且其名称包含 elasticbeanstalk: 前缀。为简洁起见,我们会在以下部分中提交条件键名称时从这些名称中忽略此前缀。例如,我们会提及 InApplication 而不是其全名 elasticbeanstalk:InApplication

相反,我们会提及跨 AWS 服务所使用的一些条件键,而且我们包含其 aws: 前缀以突出显示异常。

策略示例始终显示完整条件键名称,包括前缀。

Elastic Beanstalk 操作的策略信息

下表列出了所有 Elastic Beanstalk 操作、每项操作针对的资源以及可以使用条件提供的其他上下文信息。

Elastic Beanstalk 操作的策略信息,包括资源、条件、示例和依赖项
资源 条件 示例语句

操作:AbortEnvironmentUpdate

application

environment

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许用户在名为 My App 的应用程序中中止有关环境的环境更新操作。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:AbortEnvironmentUpdate"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"
      ]
    }
  ]
}

操作:CheckDNSAvailability

"*"

不适用

 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:CheckDNSAvailability"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

操作:ComposeEnvironments

application

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许用户编写属于名为 My App 的应用程序的环境。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:ComposeEnvironments"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App"
      ]
    }
  ]
}

操作:CreateApplication

application

aws:RequestTag/key-name(可选)

aws:TagKeys(可选)

此示例允许 CreateApplication 操作创建名称以 DivA 开头的应用程序:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:CreateApplication"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/DivA*"
      ]
    }
  ]
}

操作:CreateApplicationVersion

applicationversion

InApplication

aws:RequestTag/key-name(可选)

aws:TagKeys(可选)

此示例允许 CreateApplicationVersion 操作在应用程序 * 中创建使用任一名称(My App)的应用程序版本:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:CreateApplicationVersion"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/*"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"]
        }
      }
    }
  ]
}

操作:CreateConfigurationTemplate

configurationtemplate

InApplication

FromApplication

FromApplicationVersion

FromConfigurationTemplate

FromEnvironment

FromSolutionStack

aws:RequestTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 CreateConfigurationTemplate 操作在应用程序 My Template 中创建名称以 My Template*My App)开头的配置模板:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:CreateConfigurationTemplate"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:configurationtemplate/My App/My Template*"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"],
          "elasticbeanstalk:FromSolutionStack": ["arn:aws:elasticbeanstalk:us-east-2::solutionstack/32bit Amazon Linux running Tomcat 7"]
        }
      }
    }
  ]
}

操作:CreateEnvironment

environment

InApplication

FromApplicationVersion

FromConfigurationTemplate

FromSolutionStack

aws:RequestTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 CreateEnvironment 操作在应用程序 myenv 中使用解决方案堆栈 My App 创建名为 32bit Amazon Linux running Tomcat 7 的环境:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:CreateEnvironment"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"],
          "elasticbeanstalk:FromApplicationVersion": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/My Version"],
          "elasticbeanstalk:FromSolutionStack": ["arn:aws:elasticbeanstalk:us-east-2::solutionstack/32bit Amazon Linux running Tomcat 7"]
        }
      }
    }
  ]
}

操作:CreatePlatformVersion

platform

aws:RequestTag/key-name(可选)

aws:TagKeys(可选)

此示例允许 CreatePlatformVersion 操作创建以 us-east-2 区域为目标的平台版本,其名称以 us-east-2_ 开头:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:CreatePlatformVersion"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:platform/us-east-2_*"
      ]
    }
  ]
}

操作:CreateStorageLocation

"*"

不适用

 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:CreateStorageLocation"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

操作:DeleteApplication

application

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 DeleteApplication 操作删除应用程序 My App

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:DeleteApplication"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"
      ]
    }
  ]
}

操作:DeleteApplicationVersion

applicationversion

InApplication

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 DeleteApplicationVersion 操作在应用程序 My Version 中删除名为 My App 的应用程序版本:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:DeleteApplicationVersion"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/My Version"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"]
        }
      }        
    }
  ]
}

操作:DeleteConfigurationTemplate

configurationtemplate

InApplication(可选)

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 DeleteConfigurationTemplate 操作在应用程序 My Template 中删除名为 My App 的配置模板。将应用程序名称指定为条件(可选)。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:DeleteConfigurationTemplate"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:configurationtemplate/My App/My Template"
      ]
    }
  ]
}

操作:DeleteEnvironmentConfiguration

environment

InApplication(可选)

以下策略允许 DeleteEnvironmentConfiguration 操作在应用程序 myenv 中删除环境 My App 的预配置。将应用程序名称指定为条件(可选)。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:DeleteEnvironmentConfiguration"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ]
    }
  ]
}

操作:DeletePlatformVersion

platform

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 DeletePlatformVersion 操作删除以 us-east-2 区域为目标的平台版本,其名称以 us-east-2_ 开头:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:DeletePlatformVersion"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:platform/us-east-2_*"
      ]
    }
  ]
}

操作:DescribeApplications

application

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 DescribeApplications 操作描述应用程序“My App”。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:DescribeApplications"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"
      ]
    }
  ]
}

操作:DescribeApplicationVersions

applicationversion

InApplication(可选)

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 DescribeApplicationVersions 操作在应用程序 My Version 中描述应用程序版本 My App。将应用程序名称指定为条件(可选)。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:DescribeApplicationVersions"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/My Version"
      ]
    }
  ]
}

操作:DescribeConfigurationOptions

environment

configurationtemplate

solutionstack

InApplication(可选)

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 DescribeConfigurationOptions 操作在应用程序 myenv 中描述环境 My App 的配置选项。将应用程序名称指定为条件(可选)。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "elasticbeanstalk:DescribeConfigurationOptions",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ]
    }
  ]
}

操作:DescribeConfigurationSettings

environment

configurationtemplate

InApplication(可选)

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 DescribeConfigurationSettings 操作在应用程序 myenv 中描述环境 My App 的配置设置。将应用程序名称指定为条件(可选)。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "elasticbeanstalk:DescribeConfigurationSettings",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ]
    }
  ]
}

操作:DescribeEnvironmentHealth

environment

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许使用 DescribeEnvironmentHealth 检索名为 myenv 的环境的运行状况信息。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "elasticbeanstalk:DescribeEnvironmentHealth",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ]
    }
  ]
}

操作:DescribeEnvironmentResources

environment

InApplication(可选)

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 DescribeEnvironmentResources 操作在应用程序 My App 中返回环境 myenv 的 AWS 资源列表。将应用程序名称指定为条件(可选)。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "elasticbeanstalk:DescribeEnvironmentResources",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ]
    }
  ]
}

操作:DescribeEnvironments

environment

InApplication(可选)

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 DescribeEnvironments 操作在应用程序 myenv 中描述环境 myotherenvMy App。将应用程序名称指定为条件(可选)。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "elasticbeanstalk:DescribeEnvironments",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv",
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App2/myotherenv"
      ]
    }
  ]
}

操作:DescribeEvents

application

applicationversion

configurationtemplate

environment

InApplication

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 DescribeEvents 操作在应用程序 myenv 中列出环境 My Version 和应用程序版本 My App 的事件描述。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "elasticbeanstalk:DescribeEvents",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv",
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/My Version"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"]
        }
      }
    }
  ]
}

操作:DescribeInstancesHealth

environment

不适用

以下策略允许使用 DescribeInstancesHealth 检索名为 myenv 的环境中的实例的运行状况信息。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "elasticbeanstalk:DescribeInstancesHealth",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ]
    }
  ]
}

操作:DescribePlatformVersion

platform

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 DescribePlatformVersion 操作描述以 us-east-2 区域为目标的平台版本,其名称以 us-east-2_ 开头:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:DescribePlatformVersion"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:platform/us-east-2_*"
      ]
    }
  ]
}

操作:ListAvailableSolutionStacks

solutionstack

不适用

以下策略允许 ListAvailableSolutionStacks 操作仅返回解决方案堆栈 32bit Amazon Linux running Tomcat 7

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:ListAvailableSolutionStacks"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:elasticbeanstalk:us-east-2::solutionstack/32bit Amazon Linux running Tomcat 7"
    }
  ]
}

操作:ListPlatformVersions

platform

aws:RequestTag/key-name(可选)

aws:TagKeys(可选)

此示例允许 CreatePlatformVersion 操作创建以 us-east-2 区域为目标的平台版本,其名称以 us-east-2_ 开头:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:ListPlatformVersions"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:platform/us-east-2_*"
      ]
    }
  ]
}

操作:ListTagsForResource

application

applicationversion

configurationtemplate

environment

platform

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略仅在现有资源具有名为 ListTagsForResource 的带有值 stage 的标签时允许 test 操作列出现有资源的标签。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:ListTagsForResource"
      ],
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/stage": ["test"]
        }
      }
    }
  ]
}

操作:RebuildEnvironment

environment

InApplication

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 RebuildEnvironment 操作在应用程序 myenv 中重建环境 My App

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:RebuildEnvironment"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"]
        }
      }
    }
  ]
}

操作:RequestEnvironmentInfo

environment

InApplication

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 RequestEnvironmentInfo 操作在应用程序 myenv 中编译有关环境 My App 的信息。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:RequestEnvironmentInfo"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"]
        }
      }
    }
  ]
}

操作:RestartAppServer

environment

InApplication

以下策略允许 RestartAppServer 操作在应用程序 myenv 中重启环境 My App 的应用程序容器服务器。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:RestartAppServer"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"]
        }
      }
    }
  ]
}

操作:RetrieveEnvironmentInfo

environment

InApplication

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 RetrieveEnvironmentInfo 操作在应用程序 myenv 中检索环境 My App 的已编译信息。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:RetrieveEnvironmentInfo"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"]
        }
      }
    }
  ]
}

操作:SwapEnvironmentCNAMEs

environment

InApplication(可选)

FromEnvironment(可选)

以下策略允许 SwapEnvironmentCNAMEs 操作交换环境 mysrcenvmydestenv 的别名记录。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:SwapEnvironmentCNAMEs"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/mysrcenv",
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/mydestenv"
      ]
    }
  ]
}

操作:TerminateEnvironment

environment

InApplication

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 TerminateEnvironment 操作在应用程序 myenv 中终止环境 My App

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:TerminateEnvironment"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"]
        }
      }
    }
  ]
}

操作:UpdateApplication

application

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 UpdateApplication 操作更新应用程序 My App 的属性。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:UpdateApplication"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"
      ]
    }
  ]
}

操作:UpdateApplicationResourceLifecycle

application

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 UpdateApplicationResourceLifecycle 操作更新应用程序 My App 的生命周期设置。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:UpdateApplicationResourceLifecycle"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"
      ]
    }
  ]
}

操作:UpdateApplicationVersion

applicationversion

InApplication

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 UpdateApplicationVersion 操作在应用程序 My Version 中更新应用程序版本 My App 的属性。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:UpdateApplicationVersion"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/My Version"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"]
        }
      }
    }
  ]
}

操作:UpdateConfigurationTemplate

configurationtemplate

InApplication

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 UpdateConfigurationTemplate 操作在应用程序 My Template 中更新配置模板 My App 的属性或选项。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:UpdateConfigurationTemplate"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:configurationtemplate/My App/My Template"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"]
        }
      }
    }
  ]
}

操作:UpdateEnvironment

environment

InApplication

FromApplicationVersion

FromConfigurationTemplate

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 UpdateEnvironment 操作通过部署应用程序版本 myenv 在应用程序 My App 中更新环境 My Version

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:UpdateEnvironment"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"],
          "elasticbeanstalk:FromApplicationVersion": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/My Version"]
        }
      }
    }
  ]
}

操作:UpdateTagsForResourceAddTags

application

applicationversion

configurationtemplate

environment

platform

aws:ResourceTag/key-name(可选)

aws:RequestTag/key-name(可选)

aws:TagKeys(可选)

AddTags 操作是与 UpdateTagsForResource API 关联的两个虚拟操作之一。

以下策略仅在现有资源具有名为 AddTags 的带有值 stage 的标签时允许 test 操作修改现有资源的标签。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:AddTags"
      ],
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/stage": ["test"]
        }
      }
    }
  ]
}

操作:UpdateTagsForResourceRemoveTags

application

applicationversion

configurationtemplate

environment

platform

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

RemoveTags 操作是与 UpdateTagsForResource API 关联的两个虚拟操作之一。

以下策略拒绝请求从现有资源中删除名为 RemoveTags 的标签的 stage 操作:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:RemoveTags"
      ],
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "aws:TagKeys": ["stage"]
        }
      }
    }
  ]
}

操作:ValidateConfigurationSettings

template

environment

InApplication

aws:ResourceTag/key-name(可选)

aws:TagKeys(可选)

以下策略允许 ValidateConfigurationSettings 操作在应用程序 myenv 中根据环境 My App 验证配置设置。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:ValidateConfigurationSettings"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"]
        }
      }
    }
  ]
}

Elastic Beanstalk 操作的条件键

密钥可让您指定用于表达依赖项、限制权限的条件,或指定某一操作的输入参数约束。Elastic Beanstalk 支持以下键。

InApplication

指定相关应用程序,其中包含了供操作运行的资源。

以下示例允许 UpdateApplicationVersion 操作更新应用程序版本 My Version 的属性。InApplication 条件将 My App 指定为 My Version 的容器。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:UpdateApplicationVersion"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/My Version"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"]
        }
      }
    }
  ]
}
FromApplicationVersion

将应用程序版本指定为输入参数的依赖项或约束。

以下示例允许 UpdateEnvironment 操作在应用程序 myenv 中更新环境 My AppFromApplicationVersion 条件会限制 VersionLabel 参数,仅允许应用程序版本 My Version 更新此环境。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:UpdateEnvironment"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"],
          "elasticbeanstalk:FromApplicationVersion": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My App/My Version"]
        }
      }
    }
  ]
}
FromConfigurationTemplate

将配置模板指定为输入参数的依赖项或约束。

以下示例允许 UpdateEnvironment 操作在应用程序 myenv 中更新环境 My AppFromConfigurationTemplate 条件会限制 TemplateName 参数,仅允许配置模板 My Template 更新此环境。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:UpdateEnvironment"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/myenv"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"],
          "elasticbeanstalk:FromConfigurationTemplate": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:configurationtemplate/My App/My Template"]
        }
      }
    }
  ]
}
FromEnvironment

将环境指定为输入参数的依赖项或约束。

以下示例允许 SwapEnvironmentCNAMEs 操作在 My App 中的名称以 mysrcenvmydestenv 开头的所有环境之间交换别名记录,但这不适用于名称以 mysrcenvPROD*mydestenvPROD* 开头的环境。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:SwapEnvironmentCNAMEs"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/mysrcenv*",
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/mydestenv*"
      ],
      "Condition": {
        "StringNotLike": {
          "elasticbeanstalk:FromEnvironment": [
            "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/mysrcenvPROD*",
            "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My App/mydestenvPROD*"
          ]
        }
      }
    }
  ]
}
FromSolutionStack

将解决方案堆栈指定为输入参数的依赖项或约束。

以下策略允许 CreateConfigurationTemplate 操作在应用程序 My Template 中创建名称以 My Template*My App)开头的配置模板。FromSolutionStack 条件会限制 solutionstack 参数,仅允许将解决方案堆栈 32bit Amazon Linux running Tomcat 7 用作该参数的输入值。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:CreateConfigurationTemplate"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:configurationtemplate/My App/My Template*"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App"],
          "elasticbeanstalk:FromSolutionStack": ["arn:aws:elasticbeanstalk:us-east-2::solutionstack/32bit Amazon Linux running Tomcat 7"]
        }
      }
    }
  ]
}
aws:ResourceTag/key-name
aws:RequestTag/key-name
aws:TagKeys

指定基于标签的条件。有关详细信息,请参阅使用标签控制对 Elastic Beanstalk 资源的访问