How to configure Elastic Beanstalk IAM roles for CloudTrail access?
TypeScriptTo configure Elastic Beanstalk IAM roles for CloudTrail access, you need to set permissions that enable CloudTrail to assume a role for your Beanstalk environment.
In the AWS IAM service, you can create a Role and associate an IAM policy to it. The policy should grant permissions to CloudTrail to access the needed resources. You then create an instance profile that AWS Elastic Beanstalk will attach to the Amazon EC2 instances that are launched as part of your environment.
Here is an example Pulumi program in TypeScript that will accomplish your goal:
Please note that this example uses the AWS (not AWS-native) provider:
import * as aws from '@pulumi/aws'; const role = new aws.iam.Role("role", { description: "A role for our Elastic Beanstalk instance", assumeRolePolicy: JSON.stringify({ Statement: [{ Action: "sts:AssumeRole", Effect: "Allow", Principal: { Service: "ec2.amazonaws.com" } }], Version: "2012-10-17" }) }); const policy = new aws.iam.RolePolicyAttachment("policy", { role: role.id, policyArn: "arn:aws:iam::aws:policy/CloudTrailFullAccess" }); const instanceProfile = new aws.iam.InstanceProfile("instanceProfile", { role: role.name, });
This program does the following:
-
It creates a new IAM role for your EC2 instances (the resources that Elastic Beanstalk runs on). This role can be assumed by EC2 (hence the
"sts:AssumeRole"
action in the policy). -
It attaches the
CloudTrailFullAccess
managed policy to the role. This policy grants the necessary permissions for CloudTrail access. -
It creates an instance profile that Elastic Beanstalk can attach to your EC2 instances.
You can specify the instance profile in your Elastic Beanstalk environment configuration.
You can refer to the detailed Pulumi documentation for creating IAM roles, role policy attachment and instance profile.
-