Menu
What are the appropriate S3 permissions to deploy an Elastic Beanstalk app using CodeShip? When deploying a new version to a tomcat app I get these errors:
Service:Amazon S3, Message:You do not have permission to perform the 's3:ListBucket' action. Verify that your S3 policies and your ACLs allow you to perform these actions.
Service:Amazon S3, Message:You do not have permission to perform the 's3:GetObject' or 's3:ListBucket' action. Verify that your S3 policies and your ACLs allow you to perform these actions.
If I give the CodeShip user full access to S3 everything works, but this is not ideal. The current S3 permissions for my CodeShip user are
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetBucketPolicy"
],
"Resource": [
"arn:aws:s3:::codeshipbucket/*"
]
}
]
}
My S3 bucket I have given CodeShip is a subfolder under codeshipbucket if it matters.
What are appropriate permissions?
523
By default, all Amazon S3 resources—buckets, objects, and related subresources (for example, lifecycle configuration and website configuration)—are private. Only the resource owner, the AWS account that created it, can access the resource.
Grant public read access in one of these ways: Update the object's access control list (ACL) using the Amazon S3 console. Update the object's ACL using the AWS Command Line Interface (AWS CLI) Use a bucket policy that grants public read access to a specific object tag.
Elastic Beanstalk creates an Amazon S3 bucket named elasticbeanstalk- region - account-id for each region in which you create environments. Elastic Beanstalk uses this bucket to store objects, for example temporary configuration files, that are required for the proper operation of your application.
These are the S3 permissions we had to give the IAM user we use with Codeship:
{
"Action": [
"s3:CreateBucket",
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:ListBucket",
"s3:GetObjectAcl",
"s3:GetBucketPolicy",
"s3:DeleteObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-[region]-[account-id]",
"arn:aws:s3:::elasticbeanstalk-[region]-[account-id]/*"
]
}
We executed eb deploy --debug and added the permissions one-by-one.
158
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
