I need a queue in my elastic beanstalk application and I therefore create the queue and the queue policy with this snippet in my .ebextensions/app.conf:
Resources:
BackgroundTaskQueue:
Type: "AWS::SQS::Queue"
AllowWorkerSQSPolicy:
Type: "AWS::SQS::QueuePolicy"
Properties:
Queues:
-
Ref: "BackgroundTaskQueue"
PolicyDocument:
Version: "2008-10-17"
Id: "PublicationPolicy"
Statement:
-
Sid: "Allow-Create-Task"
Effect: "Allow"
Principal:
AWS: "*"
Action:
- "sqs:SendMessage"
Resource:
Fn::GetAtt:
- "BackgroundTaskQueue"
- "Arn"
Unfortunately I cannot find a way to reference the Instance profile of my EC2 instances in the autoscaling group. (At the moment the queue is open to the world) I tried two approaches:
Reading the configuration:
Principal:
AWS:
Fn::GetOptionSetting:
OptionName: "IamInstanceProfile"
The OptionName is always retrieved from the aws:elasticbeanstalk:customoption namespace but the IamInstanceProfile is defined in the aws:autoscaling:launchconfiguration namespace as far as I know. -> No luck
Reading from the actual
AWSEBAutoScalingLaunchConfigurationresource:Principal:
AWS:
Fn::GetAtt:
- "AWSEBAutoScalingLaunchConfiguration"
- "IamInstanceProfile"
This approach fails cause the property IamInstanceProfile is not exposed.
Has anyone found a way to make such a policy work? Does anyone know how to instruct GetOptionSetting to look in a different namespace? Anyone found a way to GetAtt the instance profile?
Aucun commentaire:
Enregistrer un commentaire