boto弹性beantalk创建应用程序版本403禁止

Question

I've finished a python script that deploying automatically to Elastic beanstalk.

It works fine with testing environments.

But when I just changed user key, Boto says '403 Forbidden' with correct policy.

https://policysim.aws.amazon.com say's that user allowed CreateApplicationVersion.

However boto don't allow CreateApplicationVersion action.

boto==2.28
python==2.7.5

Anyone got this problem before?

Traceback (most recent call last):
  File "upload_to_aws.py", line 135, in <module> 
description=None, s3_bucket=AWS_ELASTIC_BEANSTALK_S3_BUCKET_NAME, s3_key=zip_file)
  File "/usr/lib/python2.7/site-packages/boto/beanstalk/layer1.py", line 156, in create_application_version
return self._get_response('CreateApplicationVersion', params)
  File "/usr/lib/python2.7/site-packages/boto/beanstalk/layer1.py", line 71, in _get_response
raise self.ResponseError(response.status, response.reason, body)
boto.exception.BotoServerError: BotoServerError: 403 Forbidden
{"Error":{"Code":"AccessDenied","Message":"User: arn:aws:iam::<account-id>:user/<username> is not authorized to perform: elasticbeanstalk:CreateApplicationVersion on resource: arn:aws:elasticbeanstalk:ap-northeast-1:<account-id>:applicationversion/<application-name>/<application-version>","Type":"Sender"},"RequestId":"<request-id>"}

IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1000000000000",
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::mybucket/*",
        "arn:aws:s3:::mybucket",
      ]
    },
{
      "Sid": "Stmt1000000000001",
      "Effect": "Allow",
      "Action": [
        "elasticbeanstalk:*"
      ],
      "Resource": [
        "arn:aws:elasticbeanstalk:ap-northeast-1:<account-id>:environment/<application name>/<environment-name>"
      ]
    }
  ]
}

Answer 1

I really don't think this is a boto issue. It just makes the API call with the credentials you provide. If the service says 403 then the credentials you are using are not authorized for that operation.

In the case of the CreateApplicationVersion operation, you also have to pass in an S3 bucket where the version data is located. Does the account you are using have access to that bucket?