What are appropriate S3 permissions for deploying to Elastic Beanstalk from CodeShip

What are the appropriate S3 permissions to deploy an Elastic Beanstalk app using CodeShip? When deploying a new version to a tomcat app I get these errors:

Service:Amazon S3, Message:You do not have permission to perform the 's3:ListBucket' action. Verify that your S3 policies and your ACLs allow you to perform these actions.

Service:Amazon S3, Message:You do not have permission to perform the 's3:GetObject' or 's3:ListBucket' action. Verify that your S3 policies and your ACLs allow you to perform these actions.

If I give the CodeShip user full access to S3 everything works, but this is not ideal. The current S3 permissions for my CodeShip user are

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketPolicy"
            ],
            "Resource": [
                "arn:aws:s3:::codeshipbucket/*"
            ]
        }
    ]
}

My S3 bucket I have given CodeShip is a subfolder under codeshipbucket if it matters.

What are appropriate permissions?

What is the default permission of an S3 bucket?

By default, all Amazon S3 resources—buckets, objects, and related subresources (for example, lifecycle configuration and website configuration)—are private. Only the resource owner, the AWS account that created it, can access the resource.

What methods can be used to grant access to an object in S3?

Grant public read access in one of these ways: Update the object's access control list (ACL) using the Amazon S3 console. Update the object's ACL using the AWS Command Line Interface (AWS CLI) Use a bucket policy that grants public read access to a specific object tag.

Does Elastic Beanstalk use S3?

Elastic Beanstalk creates an Amazon S3 bucket named elasticbeanstalk- region - account-id for each region in which you create environments. Elastic Beanstalk uses this bucket to store objects, for example temporary configuration files, that are required for the proper operation of your application.

These are the S3 permissions we had to give the IAM user we use with Codeship:

    {
        "Action": [
            "s3:CreateBucket",
            "s3:GetObject"
        ],
        "Effect": "Allow",
        "Resource": "*"
    },
    {
        "Action": [
            "s3:ListBucket",
            "s3:GetObjectAcl",
            "s3:GetBucketPolicy",
            "s3:DeleteObject",
            "s3:PutObject",
            "s3:PutObjectAcl"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::elasticbeanstalk-[region]-[account-id]",
            "arn:aws:s3:::elasticbeanstalk-[region]-[account-id]/*"
        ]
    }

We executed eb deploy --debug and added the permissions one-by-one.

What are appropriate S3 permissions for deploying to Elastic Beanstalk from CodeShip

Tags:

amazon-s3

amazon-elastic-beanstalk

codeship

thefroatgt

People also ask

1 Answers

user3145800

Recent Activity

Donate For Us

What are appropriate S3 permissions for deploying to Elastic Beanstalk from CodeShip

Tags:

amazon-s3

amazon-elastic-beanstalk

codeship

thefroatgt

People also ask

1 Answers

user3145800

Related questions

Recent Activity

Donate For Us