本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Elastic Beanstalk 服務角色
服務角色是 Elastic Beanstalk 代表您呼叫其他服務時所IAM扮演的角色。例如,Elastic Beanstalk 在呼叫 Amazon 彈性運算雲端 (AmazonEC2)、Elastic Load Balancing 和 Amazon EC2 Auto Scaling APIs 來收集資訊時,會使用服務角色。Elastic Beanstalk 使用的服務角色是您在建立 Elastic Beanstalk 環境時指定的服務角色。
有兩個連接至服務角色的受管政策:這些政策提供許可,讓 Elastic Beanstalk 能存取建立和管理環境所需的 AWS 資源。一個受管政策為增強型運作狀態監控和工作者層 Amazon SQS 支援提供許可,另一個政策則則提供受管平台更新所需的其他許可。
此政策授予 Elastic Beanstalk 監控環境運作狀態所需的所有許可。它還包括 Amazon SQS 操作,允許 Elastic Beanstalk 監控工作環境的隊列活動。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetHealth",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:GetConsoleOutput",
"ec2:AssociateAddress",
"ec2:DescribeAddresses",
"ec2:DescribeSecurityGroups",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeNotificationConfigurations",
"sns:Publish"
],
"Resource": [
"*"
]
}
]
}此政策會授予許可,讓 Elastic Beanstalk 能夠代表您更新環境以執行受管平台更新。
服務層級許可分組
此政策會根據提供的許可集分組到陳述式中。
-
ElasticBeanstalkPermissions— 這組權限用於調用 Elastic Beanstalk 服務操作(Elastic Be APIs anstalk)。 -
AllowPassRoleToElasticBeanstalkAndDownstreamServices– 此許可群組允許將任何角色傳遞給 Elastic Beanstalk 和其他下游服務,如 AWS CloudFormation。 -
ReadOnlyPermissions– 此許可群組用於收集執行中環境的相關資訊。 -
*OperationPermissions– 具有此命名模式的群組用於呼叫必要的操作來執行平台更新。 -
*BroadOperationPermissions– 具有此命名模式的群組用於呼叫必要的操作來執行平台更新。它們也包含支援舊式環境的廣泛許可。 -
*TagResource— 具有此命名模式的群組適用於在 Elastic Beanstalk 環境中建立的資源上附加標籤的呼叫。 tag-on-create APIs
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ElasticBeanstalkPermissions",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:*"
],
"Resource": "*"
},
{
"Sid": "AllowPassRoleToElasticBeanstalkAndDownstreamServices",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"elasticbeanstalk.amazonaws.com",
"ec2.amazonaws.com",
"ec2.amazonaws.com.rproxy.goskope.com.cn",
"autoscaling.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"ecs.amazonaws.com",
"cloudformation.amazonaws.com"
]
}
}
},
{
"Sid": "ReadOnlyPermissions",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAccountLimits",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeLoadBalancers",
"autoscaling:DescribeNotificationConfigurations",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeScheduledActions",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSubnets",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcs",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"logs:DescribeLogGroups",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBInstances",
"rds:DescribeOrderableDBInstanceOptions",
"sns:ListSubscriptionsByTopic"
],
"Resource": [
"*"
]
},
{
"Sid": "EC2BroadOperationPermissions",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateSecurityGroup",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteLaunchTemplateVersions",
"ec2:DeleteSecurityGroup",
"ec2:DisassociateAddress",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
{
"Sid": "EC2RunInstancesOperationPermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"ArnLike": {
"ec2:LaunchTemplate": "arn:aws:ec2:*:*:launch-template/*"
}
}
},
{
"Sid": "EC2TerminateInstancesOperationPermissions",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/aws:cloudformation:stack-id": [
"arn:aws:cloudformation:*:*:stack/awseb-e-*",
"arn:aws:cloudformation:*:*:stack/eb-*"
]
}
}
},
{
"Sid": "ECSBroadOperationPermissions",
"Effect": "Allow",
"Action": [
"ecs:CreateCluster",
"ecs:DescribeClusters",
"ecs:RegisterTaskDefinition"
],
"Resource": "*"
},
{
"Sid": "ECSDeleteClusterOperationPermissions",
"Effect": "Allow",
"Action": "ecs:DeleteCluster",
"Resource": "arn:aws:ecs:*:*:cluster/awseb-*"
},
{
"Sid": "ASGOperationPermissions",
"Effect": "Allow",
"Action": [
"autoscaling:AttachInstances",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:CreateOrUpdateTags",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteScheduledAction",
"autoscaling:DetachInstances",
"autoscaling:DeletePolicy",
"autoscaling:PutScalingPolicy",
"autoscaling:PutScheduledUpdateGroupAction",
"autoscaling:PutNotificationConfiguration",
"autoscaling:ResumeProcesses",
"autoscaling:SetDesiredCapacity",
"autoscaling:SuspendProcesses",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup"
],
"Resource": [
"arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/awseb-e-*",
"arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/eb-*",
"arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/awseb-e-*",
"arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/eb-*"
]
},
{
"Sid": "CFNOperationPermissions",
"Effect": "Allow",
"Action": [
"cloudformation:*"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/awseb-*",
"arn:aws:cloudformation:*:*:stack/eb-*"
]
},
{
"Sid": "ELBOperationPermissions",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RegisterTargets"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/awseb-*",
"arn:aws:elasticloadbalancing:*:*:targetgroup/eb-*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/awseb-*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/eb-*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/*/awseb-*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/*/eb-*/*"
]
},
{
"Sid": "CWLogsOperationPermissions",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk/*"
},
{
"Sid": "S3ObjectOperationPermissions",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": "arn:aws:s3:::elasticbeanstalk-*/*"
},
{
"Sid": "S3BucketOperationPermissions",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucket",
"s3:PutBucketPolicy"
],
"Resource": "arn:aws:s3:::elasticbeanstalk-*"
},
{
"Sid": "SNSOperationPermissions",
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:GetTopicAttributes",
"sns:SetTopicAttributes",
"sns:Subscribe"
],
"Resource": "arn:aws:sns:*:*:ElasticBeanstalkNotifications-*"
},
{
"Sid": "SQSOperationPermissions",
"Effect": "Allow",
"Action": [
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl"
],
"Resource": [
"arn:aws:sqs:*:*:awseb-e-*",
"arn:aws:sqs:*:*:eb-*"
]
},
{
"Sid": "CWPutMetricAlarmOperationPermissions",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricAlarm"
],
"Resource": [
"arn:aws:cloudwatch:*:*:alarm:awseb-*",
"arn:aws:cloudwatch:*:*:alarm:eb-*"
]
},
{
"Sid": "AllowECSTagResource",
"Effect": "Allow",
"Action": [
"ecs:TagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:CreateAction": [
"CreateCluster",
"RegisterTaskDefinition"
]
}
}
}
]
}您可以使用以下任何方式建立 Elastic Beanstalk 環境。每個部分都會說明該方法如何處理服務角色。
Elastic Beanstalk 主控台
如果您使用 Elastic Beanstalk 主控台建立環境,Elastic Beanstalk 會提示您建立名為 aws-elasticbeanstalk-service-role 的服務角色。透過 Elastic Beanstalk 建立時,此角色會包含一個能讓 Elastic Beanstalk 擔任該服務角色的信任政策。本主題中先前提到的兩個受管理政策也會連接至角色。
Elastic Beanstalk 命令列介面 (EB) CLI
您可以使用 Elastic Beanstalk eb create 命令行界面(E CLI B)的命令創建一個環境。如果您未透過 --service-role 選項指定服務角色。Elastic Beanstalk 會建立相同的預設服務角色 aws-elasticbeanstalk-service-role。若預設服務角色已存在,Elastic Beanstalk 會將其運用於新環境。透過 Elastic Beanstalk 建立時,此角色會包含一個能讓 Elastic Beanstalk 擔任該服務角色的信任政策。本主題中先前提到的兩個受管理政策也會連接至角色。
Elastic Beanstalk API
您可以使用 Elastic Beanstalk API 的CreateEnvironment動作來創建一個環境。如果您未指定服務角色,Elastic Beanstalk 會建立一個監控服務連結角色。這是 Elastic Beanstalk 預先定義的唯一服務角色類型,用於包含服務代表您呼叫其他 AWS 服務 人所需的所有權限。服務連結角色會您的帳戶建立關聯。Elastic Beanstalk 只會建立一次此角色,然後在建立其他環境時重複使用。您也可以使IAM用預先為帳戶建立監控服務連結角色。當您的帳戶具有監視服務連結角色時,您可以使用該角色使用彈性 Beanstalk 主控台、Elastic Beanstalk 或 E API B 來建立環境。CLI如需在 Elastic Beanstalk 環境中使用服務連結角色的說明,請參閱 使用 Elastic Beanstalk 的服務連結角色。
如需服務角色的詳細資訊,請參閱管理 Elastic Beanstalk 服務角色。
