| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
Using AWS Elastic Beanstalk with AWS Identity and Access Management (IAM)
AWS Identity and Access Management (IAM) helps you securely control access to your AWS resources. IAM can also keep your account credentials private. With IAM, you can create multiple IAM users under the umbrella of your AWS account. In some cases, you can also enable access to resources across AWS accounts. Without IAM, however, you must either create multiple AWS accounts, or users must share the security credentials of a single AWS account. In addition, without IAM, you cannot control the tasks a particular user or system can do and what AWS resources they might use. For more information about IAM, go to What Can I Do with IAM?
IAM is automatically available with AWS Elastic Beanstalk. You do not need to sign up separately to use IAM.
Granting Permissions to Users
A user is an individual, system, or application that interacts with AWS programmatically. Each user has a set of security credentials not shared with other users. A group is a collection of users. Groups don't directly interact with AWS; only users do. Groups enable you to collectively assign permissions to the users. To grant permissions to users or groups, you do the following:
Create a user or group of users.
Write a policy that grants or denies the ability to perform actions on AWS Elastic Beanstalk resources.
Attach a policy to the user or the group.
For more information about AWS accounts entities, go to Concepts Related to AWS Account Entities in AWS Identity and Access Management Using IAM. To learn how to use policies to control access to resources, see Using Policies to Control Access to Resources.
Granting Permissions to Users and Services Using IAM Roles
A role is an entity that has a set of permissions, and that another entity (IAM user or AWS service) assumes to make AWS API calls to access your AWS resources. The entity who assumes the role uses temporary security credentials to make AWS API calls. Consequently, you don't have to share long-term credentials or define permissions for each entity that requires access to a resource.
You may want to use IAM roles if you want to do any of the following:
Allow AWS Elastic Beanstalk to rotate your logs to Amazon S3. AWS Elastic Beanstalk can create a default instance profile for you when you create or update your environment. For instructions using the Elastic Beanstalk console, see Managing and Configuring Applications and Environments Using the Console, CLI, and APIs. For instructions using eb, see Getting Started with Eb.
Grant permissions to applications running on EC2 instances access to AWS resources (such as DynamoDB)
To grant permissions to applications running in your AWS Elastic Beanstalk, you do the following:
Create an IAM role or use the default role provided by AWS Elastic Beanstalk when you deploy your application.
Write a policy that defines who can assume the role (the trusted entities).
Write a policy that grants or denies the ability to perform actions on AWS resources.
Attach the policies to the IAM role.
Launch your AWS Elastic Beanstalk environment using the instance profile associated with the role.
Note
If you use the AWS Management Console to create and manage roles, instance profiles are automatically managed for you. If you use the IAM API or CLI to create and manage roles, you must create instance profiles for each role. A role can be associated with many instance profiles, but an instance profile can be associated with only one role. For more information about instance profiles, go to Instance Profiles in the AWS Identity and Access Management Using IAM.
You can use IAM roles with any of the following non-legacy container types:
Node.js
PHP 5.3 and PHP 5.4
Python
Ruby 1.8.7 and 1.9.3
Apache Tomcat 6 and 7
Windows Server 2008 R2 running IIS 7.5 and Windows Server 2012 running IIS 8
AWS Elastic Beanstalk supports legacy and non-legacy containers for PHP 5.3, Windows Server 2008 R2 running IIS 7.5, Windows Server 2012 running IIS 8, and Apache Tomcat 6 or 7. If you are not sure if you are using a legacy container, check the Elastic Beanstalk console. For instructions, see To check if you are using a legacy container type.
For more information about roles and how they differ from users or groups, see Delegating API Access by Using Roles in AWS Identity and Access Management Using IAM. To learn how to use policies to control access to resources, see Using Policies to Control Access to Resources.
Using Policies to Control Access to Resources
There are two ways to control access to AWS resources:
Use a policy template.
Create a custom policy that allows or denies permissions to perform specific actions on specific resources. A custom policy gives you the flexibility to specify exactly what actions can be performed on what resources.
To learn how to apply a AWS Elastic Beanstalk policy template to a user or group, see Using Policy Templates to Control Access to All AWS Elastic Beanstalk Resources.
To learn more about custom policies, and how to allow or deny permissions to perform specific actions on AWS Elastic Beanstalk resources, see Creating Policies to Control Access to Specific AWS Elastic Beanstalk Resources.
To learn how to use IAM roles with AWS Elastic Beanstalk, see Using IAM Roles with AWS Elastic Beanstalk.
For more information about permissions, go to Concepts Related to Permissions in AWS Identity and Access Management Using IAM.
