boto elastic beanstalk 创建应用版本 403 禁止访问

我写了一个Python脚本，可以自动部署到Elastic Beanstalk上。

在测试环境中运行得很好。

但是当我只是更换了用户密钥时，Boto却提示“403 Forbidden”，而且策略是正确的。

https://policysim.aws.amazon.com显示这个用户是被允许创建应用版本的。

可是Boto却不允许执行创建应用版本的操作。

boto==2.28
python==2.7.5

有没有人遇到过这个问题？

Traceback (most recent call last):
  File "upload_to_aws.py", line 135, in <module> 
description=None, s3_bucket=AWS_ELASTIC_BEANSTALK_S3_BUCKET_NAME, s3_key=zip_file)
  File "/usr/lib/python2.7/site-packages/boto/beanstalk/layer1.py", line 156, in create_application_version
return self._get_response('CreateApplicationVersion', params)
  File "/usr/lib/python2.7/site-packages/boto/beanstalk/layer1.py", line 71, in _get_response
raise self.ResponseError(response.status, response.reason, body)
boto.exception.BotoServerError: BotoServerError: 403 Forbidden
{"Error":{"Code":"AccessDenied","Message":"User: arn:aws:iam::<account-id>:user/<username> is not authorized to perform: elasticbeanstalk:CreateApplicationVersion on resource: arn:aws:elasticbeanstalk:ap-northeast-1:<account-id>:applicationversion/<application-name>/<application-version>","Type":"Sender"},"RequestId":"<request-id>"}

IAM策略：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1000000000000",
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::mybucket/*",
        "arn:aws:s3:::mybucket",
      ]
    },
{
      "Sid": "Stmt1000000000001",
      "Effect": "Allow",
      "Action": [
        "elasticbeanstalk:*"
      ],
      "Resource": [
        "arn:aws:elasticbeanstalk:ap-northeast-1:<account-id>:environment/<application name>/<environment-name>"
      ]
    }
  ]
}