Elastic Beanstalk 服務角色 - AWS Elastic Beanstalk

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

Elastic Beanstalk 服務角色

服務角色是 Elastic Beanstalk 代表您呼叫其他服務時所IAM扮演的角色。例如,Elastic Beanstalk 在呼叫 Amazon 彈性運算雲端 (AmazonEC2)、Elastic Load Balancing 和 Amazon EC2 Auto Scaling APIs 來收集資訊時,會使用服務角色。Elastic Beanstalk 使用的服務角色是您在建立 Elastic Beanstalk 環境時指定的服務角色。

有兩個連接至服務角色的受管政策:這些政策提供許可,讓 Elastic Beanstalk 能存取建立和管理環境所需的 AWS 資源。一個受管政策為增強型運作狀態監控和工作者層 Amazon SQS 支援提供許可,另一個政策則則提供受管平台更新所需的其他許可。

此政策授予 Elastic Beanstalk 監控環境運作狀態所需的所有許可。它還包括 Amazon SQS 操作,允許 Elastic Beanstalk 監控工作環境的隊列活動。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetHealth", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:GetConsoleOutput", "ec2:AssociateAddress", "ec2:DescribeAddresses", "ec2:DescribeSecurityGroups", "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeScalingActivities", "autoscaling:DescribeNotificationConfigurations", "sns:Publish" ], "Resource": [ "*" ] } ] }

此政策會授予許可,讓 Elastic Beanstalk 能夠代表您更新環境以執行受管平台更新。

服務層級許可分組

此政策會根據提供的許可集分組到陳述式中。

  • ElasticBeanstalkPermissions— 這組權限用於調用 Elastic Beanstalk 服務操作(Elastic Be APIs anstalk)。

  • AllowPassRoleToElasticBeanstalkAndDownstreamServices – 此許可群組允許將任何角色傳遞給 Elastic Beanstalk 和其他下游服務,如 AWS CloudFormation。

  • ReadOnlyPermissions – 此許可群組用於收集執行中環境的相關資訊。

  • *OperationPermissions – 具有此命名模式的群組用於呼叫必要的操作來執行平台更新。

  • *BroadOperationPermissions – 具有此命名模式的群組用於呼叫必要的操作來執行平台更新。它們也包含支援舊式環境的廣泛許可。

  • *TagResource— 具有此命名模式的群組適用於在 Elastic Beanstalk 環境中建立的資源上附加標籤的呼叫。 tag-on-create APIs

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ElasticBeanstalkPermissions", "Effect": "Allow", "Action": [ "elasticbeanstalk:*" ], "Resource": "*" }, { "Sid": "AllowPassRoleToElasticBeanstalkAndDownstreamServices", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": [ "elasticbeanstalk.amazonaws.com", "ec2.amazonaws.com", "ec2.amazonaws.com.rproxy.goskope.com.cn", "autoscaling.amazonaws.com", "elasticloadbalancing.amazonaws.com", "ecs.amazonaws.com", "cloudformation.amazonaws.com" ] } } }, { "Sid": "ReadOnlyPermissions", "Effect": "Allow", "Action": [ "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLoadBalancers", "autoscaling:DescribeNotificationConfigurations", "autoscaling:DescribeScalingActivities", "autoscaling:DescribeScheduledActions", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", "ec2:DescribeKeyPairs", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSubnets", "ec2:DescribeVpcClassicLink", "ec2:DescribeVpcs", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "logs:DescribeLogGroups", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeOrderableDBInstanceOptions", "sns:ListSubscriptionsByTopic" ], "Resource": [ "*" ] }, { "Sid": "EC2BroadOperationPermissions", "Effect": "Allow", "Action": [ "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:CreateSecurityGroup", "ec2:DeleteLaunchTemplate", "ec2:DeleteLaunchTemplateVersions", "ec2:DeleteSecurityGroup", "ec2:DisassociateAddress", "ec2:ReleaseAddress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource": "*" }, { "Sid": "EC2RunInstancesOperationPermissions", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "*", "Condition": { "ArnLike": { "ec2:LaunchTemplate": "arn:aws:ec2:*:*:launch-template/*" } } }, { "Sid": "EC2TerminateInstancesOperationPermissions", "Effect": "Allow", "Action": [ "ec2:TerminateInstances" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringLike": { "ec2:ResourceTag/aws:cloudformation:stack-id": [ "arn:aws:cloudformation:*:*:stack/awseb-e-*", "arn:aws:cloudformation:*:*:stack/eb-*" ] } } }, { "Sid": "ECSBroadOperationPermissions", "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:DescribeClusters", "ecs:RegisterTaskDefinition" ], "Resource": "*" }, { "Sid": "ECSDeleteClusterOperationPermissions", "Effect": "Allow", "Action": "ecs:DeleteCluster", "Resource": "arn:aws:ecs:*:*:cluster/awseb-*" }, { "Sid": "ASGOperationPermissions", "Effect": "Allow", "Action": [ "autoscaling:AttachInstances", "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateLaunchConfiguration", "autoscaling:CreateOrUpdateTags", "autoscaling:DeleteLaunchConfiguration", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeleteScheduledAction", "autoscaling:DetachInstances", "autoscaling:DeletePolicy", "autoscaling:PutScalingPolicy", "autoscaling:PutScheduledUpdateGroupAction", "autoscaling:PutNotificationConfiguration", "autoscaling:ResumeProcesses", "autoscaling:SetDesiredCapacity", "autoscaling:SuspendProcesses", "autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup" ], "Resource": [ "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/awseb-e-*", "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/eb-*", "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/awseb-e-*", "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/eb-*" ] }, { "Sid": "CFNOperationPermissions", "Effect": "Allow", "Action": [ "cloudformation:*" ], "Resource": [ "arn:aws:cloudformation:*:*:stack/awseb-*", "arn:aws:cloudformation:*:*:stack/eb-*" ] }, { "Sid": "ELBOperationPermissions", "Effect": "Allow", "Action": [ "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets" ], "Resource": [ "arn:aws:elasticloadbalancing:*:*:targetgroup/awseb-*", "arn:aws:elasticloadbalancing:*:*:targetgroup/eb-*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/awseb-*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/eb-*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/*/awseb-*/*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/*/eb-*/*" ] }, { "Sid": "CWLogsOperationPermissions", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DeleteLogGroup", "logs:PutRetentionPolicy" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk/*" }, { "Sid": "S3ObjectOperationPermissions", "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:GetObjectVersionAcl", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectVersionAcl" ], "Resource": "arn:aws:s3:::elasticbeanstalk-*/*" }, { "Sid": "S3BucketOperationPermissions", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetBucketPolicy", "s3:ListBucket", "s3:PutBucketPolicy" ], "Resource": "arn:aws:s3:::elasticbeanstalk-*" }, { "Sid": "SNSOperationPermissions", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:GetTopicAttributes", "sns:SetTopicAttributes", "sns:Subscribe" ], "Resource": "arn:aws:sns:*:*:ElasticBeanstalkNotifications-*" }, { "Sid": "SQSOperationPermissions", "Effect": "Allow", "Action": [ "sqs:GetQueueAttributes", "sqs:GetQueueUrl" ], "Resource": [ "arn:aws:sqs:*:*:awseb-e-*", "arn:aws:sqs:*:*:eb-*" ] }, { "Sid": "CWPutMetricAlarmOperationPermissions", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricAlarm" ], "Resource": [ "arn:aws:cloudwatch:*:*:alarm:awseb-*", "arn:aws:cloudwatch:*:*:alarm:eb-*" ] }, { "Sid": "AllowECSTagResource", "Effect": "Allow", "Action": [ "ecs:TagResource" ], "Resource": "*", "Condition": { "StringEquals": { "ecs:CreateAction": [ "CreateCluster", "RegisterTaskDefinition" ] } } } ] }

您可以使用以下任何方式建立 Elastic Beanstalk 環境。每個部分都會說明該方法如何處理服務角色。

Elastic Beanstalk 主控台

如果您使用 Elastic Beanstalk 主控台建立環境,Elastic Beanstalk 會提示您建立名為 aws-elasticbeanstalk-service-role 的服務角色。透過 Elastic Beanstalk 建立時,此角色會包含一個能讓 Elastic Beanstalk 擔任該服務角色的信任政策。本主題中先前提到的兩個受管理政策也會連接至角色。

Elastic Beanstalk 命令列介面 (EB) CLI

您可以使用 Elastic Beanstalk eb create 命令行界面(E CLI B)的命令創建一個環境。如果您未透過 --service-role 選項指定服務角色。Elastic Beanstalk 會建立相同的預設服務角色 aws-elasticbeanstalk-service-role。若預設服務角色已存在,Elastic Beanstalk 會將其運用於新環境。透過 Elastic Beanstalk 建立時,此角色會包含一個能讓 Elastic Beanstalk 擔任該服務角色的信任政策。本主題中先前提到的兩個受管理政策也會連接至角色。

Elastic Beanstalk API

您可以使用 Elastic Beanstalk API 的CreateEnvironment動作來創建一個環境。如果您未指定服務角色,Elastic Beanstalk 會建立一個監控服務連結角色。這是 Elastic Beanstalk 預先定義的唯一服務角色類型,用於包含服務代表您呼叫其他 AWS 服務 人所需的所有權限。服務連結角色會您的帳戶建立關聯。Elastic Beanstalk 只會建立一次此角色,然後在建立其他環境時重複使用。您也可以使IAM用預先為帳戶建立監控服務連結角色。當您的帳戶具有監視服務連結角色時,您可以使用該角色使用彈性 Beanstalk 主控台、Elastic Beanstalk 或 E API B 來建立環境。CLI如需在 Elastic Beanstalk 環境中使用服務連結角色的說明,請參閱 使用 Elastic Beanstalk 的服務連結角色

如需服務角色的詳細資訊,請參閱管理 Elastic Beanstalk 服務角色