通过AWS CLI部署新版本所需的ElasticBeanstalk权限

我有一个IAM策略设置，我认为它提供了将新版本部署到Elastic Beanstalk应用程序的正确权限。我仍然得到InsufficientPrivilegesException ，特别是：

 aws elasticbeanstalk update-environment --environment-name LearnTfsBff --version-label LearnTfsBff-30

调用UpdateEnvironment操作时发生错误（InsufficientPrivilegesException）：访问被拒绝

这是为部署用户设置的策略：

 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:*", "cloudformation:GetTemplate", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "autoscaling:*", "cloudfront:CreateInvalidation", "ec2:describeVpcs", "ec2:DescribeImages", "elasticbeanstalk:CreateApplicationVersion", "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:DescribeApplicationVersions", "elasticbeanstalk:DescribeEnvironments", "elasticbeanstalk:UpdateEnvironment", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "s3:ListAllMyBuckets", ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::learn-tfs-builds" }, { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": "arn:aws:s3:::learn-tfs-*" } ] }

我试图添加"elasticbeanstalk:*"作为一个允许的操作，并没有解决权限问题。我添加了"*"作为允许，并且确实解决了它，但不是一个允许的解决scheme。

我如何debuggingAWS内需要的特定权限？

谢谢，

山姆

从这个指南看来，你可能也需要S3的弹性beanstalk桶访问，IE：

 { "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl", "s3:ListBucket", "s3:DeleteObject", "s3:GetBucketPolicy", "s3:CreateBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::elasticbeanstalk-[region]-[accountid]", "arn:aws:s3:::elasticbeanstalk-[region]-[accountid]/*" ] }