8

What are the appropriate S3 permissions to deploy an Elastic Beanstalk app using CodeShip? When deploying a new version to a tomcat app I get these errors:

Service:Amazon S3, Message:You do not have permission to perform the 's3:ListBucket' action. Verify that your S3 policies and your ACLs allow you to perform these actions.

Service:Amazon S3, Message:You do not have permission to perform the 's3:GetObject' or 's3:ListBucket' action. Verify that your S3 policies and your ACLs allow you to perform these actions.

If I give the CodeShip user full access to S3 everything works, but this is not ideal. The current S3 permissions for my CodeShip user are

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketPolicy"
            ],
            "Resource": [
                "arn:aws:s3:::codeshipbucket/*"
            ]
        }
    ]
}

My S3 bucket I have given CodeShip is a subfolder under codeshipbucket if it matters.

What are appropriate permissions?

thefroatgt
  • 896
  • 2
  • 12
  • 19

2 Answers2

3

These are the S3 permissions we had to give the IAM user we use with Codeship:

    {
        "Action": [
            "s3:CreateBucket",
            "s3:GetObject"
        ],
        "Effect": "Allow",
        "Resource": "*"
    },
    {
        "Action": [
            "s3:ListBucket",
            "s3:GetObjectAcl",
            "s3:GetBucketPolicy",
            "s3:DeleteObject",
            "s3:PutObject",
            "s3:PutObjectAcl"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::elasticbeanstalk-[region]-[account-id]",
            "arn:aws:s3:::elasticbeanstalk-[region]-[account-id]/*"
        ]
    }

We executed eb deploy --debug and added the permissions one-by-one.

user3145800
  • 203
  • 1
  • 7
2

In our internal test we've been able to deploy to ElasticBeanstalk with just the following S3 permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_S3_BUCKET_NAME/*"
            ]
        }
    ]
}

And this is what we currently recommend in our documentation available at https://codeship.com/documentation/continuous-deployment/deployment-to-elastic-beanstalk/#s3

That said, one of our awesome users published a very extensive guide on how to deploy to Elastic Beanstalk, which is available at http://nudaygames.squarespace.com/blog/2014/5/26/deploying-to-elastic-beanstalk-from-your-continuous-integration-system and recommends a broader set of S3 permissions.

Disclaimer: I work for Codeship, but you probably already guessed so from my answer.

mlocher
  • 766
  • 5
  • 11
  • I had the same issue as the author of this question and found the fix here: http://stackoverflow.com/a/24572049/121515. Note that the upload to S3 will work fine with the S3 permissions you describe above, but the deployment of the new version will not. Codeship also reports the deployment as successful despite errors being shown in the AWS EB console. – Garret Heaton Jul 16 '15 at 03:09