AWS Documentation » AWS Elastic Beanstalk » AWS Elastic Beanstalk Developer Guide » Using AWS Elastic Beanstalk with Other AWS Services » Using AWS Elastic Beanstalk with AWS Identity and Access Management (IAM) » Resources and Conditions for AWS Elastic Beanstalk Actions	« Previous Next »
	Did this page help you? Yes \| No \| Tell us about it...

Resources and Conditions for AWS Elastic Beanstalk Actions

Topics

This section describes the resources and conditions that you can use in policy statements to grant permissions that allow specific AWS Elastic Beanstalk actions to be performed on specific AWS Elastic Beanstalk resources.

Note

Some AWS Elastic Beanstalk actions may require permissions to other AWS services. For example, the following policy gives permissions for all Auto Scaling, Amazon S3, Amazon EC2, Amazon CloudWatch, Amazon SNS, Elastic Load Balancing, Amazon RDS, and AWS CloudFormation (for non-legacy container types) actions required to complete any AWS Elastic Beanstalk action. AWS Elastic Beanstalk relies on these additional services to provision underlying resources when creating an environment. For a list of supported non-legacy container types, see Why are some container types marked legacy?.

The following policy is an example. It gives a broad set of permissions to the AWS products that AWS Elastic Beanstalk uses to manage applications and environments. For example, ec2:* allows an IAM user to perform any action on any Amazon EC2 resource in the AWS account. These permissions are not limited to the resources that you use with AWS Elastic Beanstalk. As a best practice, you should grant individuals only the permissions they need to perform their duties.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
       "ec2:*",
       "elasticloadbalancing:*",
       "autoscaling:*",
       "cloudwatch:*",
       "s3:*",
       "sns:*",
       "rds:*",
       "cloudformation:*"
      ],
      "Resource": "*"
    }
  ]
}

Granting IAM Users Permissions to Create IAM Roles

To use IAM roles with AWS Elastic Beanstalk, you need to have the appropriate permissions for AWS Elastic Beanstalk to create a default profile for you, or to view the list of instance profiles available in your environment. You need to check to make sure your policy is updated with the correct permissions. If you tried to create or update your environment using an instance profile, and you received an error, it may be because you do not have permission. Your account administrator should add the following actions to your policy:

"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:PassRole",
"iam:ListInstanceProfiles"

The following example shows one statement that gives a broad set of permissions to AWS products that AWS Elastic Beanstalk uses to manage applications and environments and includes permissions to create an instance profile and view a list of available instance profiles.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "elasticbeanstalk:*",
        "ec2:*",
        "elasticloadbalancing:*",
        "autoscaling:*",
        "cloudwatch:*",
        "s3:*",
        "sns:*",
        "cloudformation:*",
        "rds:*",
        "iam:AddRoleToInstanceProfile",
        "iam:CreateInstanceProfile",
        "iam:CreateRole",
        "iam:PassRole",
        "iam:ListInstanceProfiles"
      ],
      "Resource": "*"
    }
  ]
}

Policy Information for AWS Elastic Beanstalk Actions

The following table lists all AWS Elastic Beanstalk actions, the resource that each action acts upon, and the additional contextual information that can be provided using conditions.

Conditions enable you to specify permissions to resources that the action needs to complete. For example, when you can call the CreateEnvironment action, you must also specify the application version to deploy as well as the application that contains that application name. When you set permissions for the CreateEnvironment action, you specify the application and application version that you want the action to act upon by using the InApplication and FromApplicationVersion conditions. In addition, you can specify the environment configuration with a solution stack (FromSolutionStack) or a configuration template (FromConfigurationTemplate). The following policy statement allows the CreateEnvironment action to create an environment with the name myenv (specified by Resource) in the application My App (specified by the InApplication condition) using the application version My Version (FromApplicationVersion) with a 32bit Amazon Linux running Tomcat 7 configuration (FromSolutionStack):

{
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:CreateEnvironment"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/myenv"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"],
          "elasticbeanstalk:FromApplicationVersion": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/My App/My Version"],
          "elasticbeanstalk:FromSolutionStack": ["arn:aws:elasticbeanstalk:us-east-1::solutionstack/32bit Amazon Linux running Tomcat 7"]
        }
      }
    }
  ]
}

As you can see in the preceding example, resources are specified using their Amazon Resource Name (ARN). For more information about the ARN format for AWS Elastic Beanstalk resources, see Amazon Resource Name (ARN) Format for AWS Elastic Beanstalk.

The Comments column contains a simple example statement that grants permission to use the action on a specific resource with the appropriate contextual information provided through one or more conditions. The Comments column also lists dependencies that the action may have on permissions to perform other actions or to access other resources.

Note

If you set a policy on elasticbeanstalk:Describe* actions, those actions return only values that are permitted through the policy. For example, the following policy allows the elasticbeanstalk:DescribeEvents action to return a list of event descriptions for the environment myenv in the application My App. If you applied this policy to a user, that user could successfully perform the elasticbeanstalk:DescribeEvents action using myenv for the EnvironmentName parameter to get the list of events for myenv. However, if the user used another environment name for EnvironmentName or specified different parameters such as one for a specific application version, the action would return no event descriptions because the user has permission to view onlymyenv events. If the user specified no parameters for elasticbeanstalk:DescribeEvents, the action would return only the events for myenv because that is the only resource the user has permissions for.

{
  "Statement": [
    {
      "Action": "elasticbeanstalk:DescribeEvents",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/myenv"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"]
        }
      }
    }
  ]
}

Policy information for AWS Elastic Beanstalk actions, including resources, conditions, examples, and dependencies

Resource	Conditions	Comments
Action: `CheckDNSAvailability`
`"*"`	N/A	This example allows the `CheckDNSAvailability` action to check if a CNAME is available. Note that permission to a resource is not required for this action and the resource should be specified by `""`. { "Statement": [ { "Action": [ "elasticbeanstalk:CheckDNSAvailability" ], "Effect": "Allow", "Resource": "" } ] }
Action: `CreateApplication`
`application`	N/A	This example allows the `CreateApplication` action to create applications whose names begin with `DivA`: { "Statement": [ { "Action": [ "elasticbeanstalk:CreateApplication" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:application/DivA*" ] } ] }
Action: `CreateApplicationVersion`
`applicationversion`	`InApplication`	This example allows the `CreateApplicationVersion` action to create application versions with any name (*``) in the application `My App`*: { "Statement": [ { "Action": [ "elasticbeanstalk:CreateApplicationVersion" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/My App/" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"] } } } ] }
Action: `CreateConfigurationTemplate`
`configurationtemplate`	`InApplication` `FromApplication` `FromApplicationVersion` `FromConfigurationTemplate` `FromEnvironment` `FromSolutionStack`	This example allows the `CreateConfigurationTemplate` action to create configuration templates whose name begins with `My Template` (`My Template`) in the application `My App`: { "Statement": [ { "Action": [ "elasticbeanstalk:CreateConfigurationTemplate" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:configurationtemplate/My App/My Template" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"], "elasticbeanstalk:FromSolutionStack": ["arn:aws:elasticbeanstalk:us-east-1::solutionstack/32bit Amazon Linux running Tomcat 7"] } } } ] }
Action: `CreateEnvironment`
`environment`	`InApplication` `FromApplicationVersion` `FromConfigurationTemplate` `FromSolutionStack`	This example allows the `CreateEnvironment` action to create an environment whose name is `myenv` in the application `My App` and using the solution stack `32bit Amazon Linux running Tomcat 7`: { "Statement": [ { "Action": [ "elasticbeanstalk:CreateEnvironment" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/myenv" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"], "elasticbeanstalk:FromApplicationVersion": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/My App/My Version"], "elasticbeanstalk:FromSolutionStack": ["arn:aws:elasticbeanstalk:us-east-1::solutionstack/32bit Amazon Linux running Tomcat 7"] } } } ] }
Action: `CreateStorageLocation`
`"*"`	N/A	This example allows the `CreateStorageLocation` action to create an Amazon S3 storage location. Note that permission to an AWS Elastic Beanstalk resource is not required for this action, and the resource should be specified by `""`. { "Statement": [ { "Action": [ "elasticbeanstalk:CreateStorageLocation" ], "Effect": "Allow", "Resource": "" } ] }
Action: `DeleteApplication`
`application`	N/A	This example allows the `DeleteApplication` action to delete the application `My App`: { "Statement": [ { "Action": [ "elasticbeanstalk:DeleteApplication" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App" ] } ] }
Action: `DeleteApplicationVersion`
`applicationversion`	`InApplication`	This example allows the `DeleteApplicationVersion` action to delete an application version whose name is `My Version` in the application `My App`: { "Statement": [ { "Action": [ "elasticbeanstalk:DeleteApplicationVersion" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/My App/My Version" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"] } } } ] }
Action: `DeleteConfigurationTemplate`
`configurationtemplate`	`InApplication` (Optional)	This example allows the `DeleteConfigurationTemplate` action to delete a configuration template whose name is `My Template` in the application `My App`. Specifying the application name as a condition is optional. { "Statement": [ { "Action": [ "elasticbeanstalk:DeleteConfigurationTemplate" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:configurationtemplate/My App/My Template" ] } ] }
Action: `DeleteEnvironmentConfiguration`
`environment`	`InApplication` (Optional)	This example allows the `DeleteEnvironmentConfiguration` action to delete a draft configuration for the environment `myenv` in the application `My App`. Specifying the application name as a condition is optional. { "Statement": [ { "Action": [ "elasticbeanstalk:DeleteEnvironmentConfiguration" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/myenv" ] } ] }
Action: `DescribeApplicationVersions`
`applicationversion`	`InApplication` (Optional)	This example allows the `DescribeApplicationVersions` action to describe the application version `My Version` in the application `My App`. Specifying the application name as a condition is optional. { "Statement": [ { "Action": [ "elasticbeanstalk:DescribeApplicationVersions" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/My App/My Version" ] } ] }
Action: `DescribeApplications`
`application`	N/A	This example allows the `DescribeApplications` action to describe the application My App. { "Statement": [ { "Action": [ "elasticbeanstalk:DescribeApplications" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App" ] } ] }
Action: `DescribeConfigurationOptions`
`environment`, `configurationtemplate`, `solutionstack`	`InApplication` (Optional)	This example allows the `DescribeConfigurationOptions` action to describe the configuration options for the environment `myenv` in the application `My App`. Specifying the application name as a condition is optional. { "Statement": [ { "Action": "elasticbeanstalk:DescribeConfigurationOptions", "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/myenv" ] } ] }
Action: `DescribeConfigurationSettings`
`environment`, `configurationtemplate`	`InApplication` (Optional)	This example allows the `DescribeConfigurationSettings` action to describe the configuration settings for the environment `myenv` in the application `My App`. Specifying the application name as a condition is optional. { "Statement": [ { "Action": "elasticbeanstalk:DescribeConfigurationSettings", "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/myenv" ] } ] }
Action: `DescribeEnvironmentResources`
`environment`	`InApplication` (Optional)	This example allows the `DescribeEnvironmentResources` action to return list of AWS resources for the environment `myenv` in the application `My App`. Specifying the application name as a condition is optional. { "Statement": [ { "Action": "elasticbeanstalk:DescribeEnvironmentResources", "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/myenv" ] } ] }
Action: `DescribeEnvironments`
`environment`	`InApplication` (Optional)	This example allows the `DescribeEnvironments` action to describe the environments `myenv` and `myotherenv` in the application `My App`. Specifying the application name as a condition is optional. { "Statement": [ { "Action": "elasticbeanstalk:DescribeEnvironments", "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/myenv", "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App2/myotherenv" ] } ] }
Action: `DescribeEvents`
`application`, `applicationversion`, `configurationtemplate`, `environment`	`InApplication`	This example allows the `DescribeEvents` action to list event descriptions for the environment `myenv` and the application version `My Version` in the application `My App`. { "Statement": [ { "Action": "elasticbeanstalk:DescribeEvents", "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/myenv", "arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/My App/My Version" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"] } } } ] }
Action: `ListAvailableSolutionStacks`
`solutionstack`	N/A	This example allows the `ListAvailableSolutionStacks` action to return only the solution stack `32bit Amazon Linux running Tomcat 7`. { "Statement": [ { "Action": [ "elasticbeanstalk:ListAvailableSolutionStacks" ], "Effect": "Allow", "Resource": "arn:aws:elasticbeanstalk:us-east-1::solutionstack/32bit Amazon Linux running Tomcat 7" } ] }
Action: `RebuildEnvironment`
`environment`	`InApplication`	This example allows the `RebuildEnvironment` action to rebuild the environment `myenv` in the application `My App`. { "Statement": [ { "Action": [ "elasticbeanstalk:RebuildEnvironment" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/myenv" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"] } } } ] }
Action: `RequestEnvironmentInfo`
`environment`	`InApplication`	This example allows the `RequestEnvironmentInfo` action to compile information about the environment `myenv` in the application `My App`. { "Statement": [ { "Action": [ "elasticbeanstalk:RequestEnvironmentInfo" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/myenv" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"] } } } ] }
Action: `RestartAppServer`
`environment`	`InApplication`	This example allows the `RestartAppServer` action to restart the application container server for the environment `myenv` in the application `My App`. { "Statement": [ { "Action": [ "elasticbeanstalk:RestartAppServer" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/myenv" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"] } } } ] }
Action: `RetrieveEnvironmentInfo`
`environment`	`InApplication`	This example allows the `RetrieveEnvironmentInfo` action to retrieve the compiled information for the environment `myenv` in the application `My App`. { "Statement": [ { "Action": [ "elasticbeanstalk:RetrieveEnvironmentInfo" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/myenv" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"] } } } ] }
Action: `SwapEnvironmentCNAMEs`
`environment`	`InApplication` (Optional) `FromEnvironment` (Optional)	This example allows the `SwapEnvironmentCNAMEs` action to swap the CNAMEs for the environments `mysrcenv` and `mydestenv`. { "Statement": [ { "Action": [ "elasticbeanstalk:SwapEnvironmentCNAMEs" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/mysrcenv", "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/mydestenv" ] } ] }
Action: `TerminateEnvironment`
`environment`	`InApplication`	This example allows the `TerminateEnvironment` action to terminate the environment `myenv` in the application `My App`. { "Statement": [ { "Action": [ "elasticbeanstalk:TerminateEnvironment" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/myenv" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"] } } } ] }
Action: UpdateApplication
`application`	N/A	This example allows the `UpdateApplication` action to update properties of the application `My App`. { "Statement": [ { "Action": [ "elasticbeanstalk:UpdateApplication" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App" ] } ] }
Action: `UpdateApplicationVersion`
`applicationversion`	`InApplication`	This example allows the `UpdateApplicationVersion` action to update the properties of the application version `My Version` in the application `My App`. { "Statement": [ { "Action": [ "elasticbeanstalk:UpdateApplicationVersion" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/My App/My Version" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"] } } } ] }
Action: `UpdateConfigurationTemplate`
`configurationtemplate`	`InApplication`	This example allows the `UpdateConfigurationTemplate` action to update the properties or options of the configuration template `My Template` in the application `My App`. { "Statement": [ { "Action": [ "elasticbeanstalk:UpdateConfigurationTemplate" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:configurationtemplate/My App/My Template" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"] } } } ] }
Action: `UpdateEnvironment`
`environment`	`InApplication` `FromApplicationVersion` `FromConfigurationTemplate`	This example allows the `UpdateEnvironment` action to update the environment `myenv` in the application `My App` by deploying the application version `My Version`. { "Statement": [ { "Action": [ "elasticbeanstalk:UpdateEnvironment" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/myenv" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"], "elasticbeanstalk:FromApplicationVersion": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/My App/My Version"] } } } ] }
Action: `ValidateConfigurationSettings`
`template`, `environment`	`InApplication`	This example allows the `ValidateConfigurationSettings` action to validates configuration settings against the environment `myenv` in the application `My App`. { "Statement": [ { "Action": [ "elasticbeanstalk:ValidateConfigurationSettings" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/myenv" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"] } } } ] }

Condition Keys for AWS Elastic Beanstalk Actions

Keys enable you to specify conditions that express dependencies, restrict permissions, or specify constraints on the input parameters for an action. AWS Elastic Beanstalk supports the following keys.

InApplication

Specifies the application that contains the resource that the action operates on.

The following example allows the UpdateApplicationVersion action to update the properties of the application version My Version. The InApplication condition specifies My App as the container for My Version.

{
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:UpdateApplicationVersion"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/My App/My Version"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"]
        }
      }
    }
  ]
}

FromApplicationVersion

Specifies an application version as a dependency or a constraint on an input parameter.

The following example allows the UpdateEnvironment action to update the environment myenv in the application My App. The FromApplicationVersion condition constrains the VersionLabel parameter to allow only the application version My Version to update the environment.

{
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:UpdateEnvironment"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/myenv"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"],
          "elasticbeanstalk:FromApplicationVersion": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/My App/My Version"]
        }
      }
    }
  ]
}

FromConfigurationTemplate

Specifies a configuration template as a dependency or a constraint on an input parameter.

The following example allows the UpdateEnvironment action to update the environment myenv in the application My App. The FromConfigurationTemplate condition constrains the TemplateName parameter to allow only the configuration template My Template to update the environment.

{
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:UpdateEnvironment"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/myenv"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"],
          "elasticbeanstalk:FromConfigurationTemplate": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:configurationtemplate/My App/My Template"]
        }
      }
    }
  ]
}

FromEnvironment

Specifies an environment as a dependency or a constraint on an input parameter.

The following example allows the SwapEnvironmentCNAMEs action to swap the CNAMEs in My App for all environments whose names begin with mysrcenv and mydestenv but not those environments whose names begin with mysrcenvPROD* and mydestenvPROD*.

{
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:SwapEnvironmentCNAMEs"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/mysrcenv*",
        "arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/mydestenv*"
      ],
      "Condition": {
        "StringNotLike": {
          "elasticbeanstalk:FromEnvironment": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/mysrcenvPROD*",
          "elasticbeanstalk:FromEnvironment": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/mydestenvPROD*"
          ]
        }
      }
    }
  ]
}

FromSolutionStack

Specifies a solution stack as a dependency or a constraint on an input parameter.

This example allows the CreateConfigurationTemplate action to create configuration templates whose name begins with My Template (My Template*) in the application My App. The FromSolutionStack condition constrains the solutionstack parameter to allow only the solution stack 32bit Amazon Linux running Tomcat 7 as the input value for that parameter.

{
  "Statement": [
    {
      "Action": [
        "elasticbeanstalk:CreateConfigurationTemplate"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-1:123456789012:configurationtemplate/My App/My Template*"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App"],
          "elasticbeanstalk:FromSolutionStack": ["arn:aws:elasticbeanstalk:us-east-1::solutionstack/32bit Amazon Linux running Tomcat 7"]
        }
      }
    }
  ]
}

Document Conventions	« Previous Next »
Terms of Use	Did this page help you? Yes \| No \| Tell us about it...