https://serverless-stack.com/ logo
#sst
Title
# sst
s

Sam Hulick

10/22/2021, 8:40 PM
docs request: it would be awesome if the docs had the minimal IAM permissions needed to deploy an SST project
b

Blake E

10/22/2021, 8:42 PM
+1 super useful
t

thdxr

10/22/2021, 8:44 PM
I think we've had this request a few times, we have an issue for it but need to prioritize it. Think Frank was looking into it at some point
a

Adrián Mouly

10/22/2021, 8:49 PM
@Sam Hulick just give it all the perms 😂 (I know you hate that).
s

Sam Hulick

10/22/2021, 9:00 PM
ha! yeah, probably not wise 🙂
f

Frank

10/22/2021, 10:45 PM
And SST needs CREATE and UPDATE permissions on them.
But i think it’s tricky to come up with the minimal permission up front b/c you need to give
s3:CreateBucket
for
*
on the first deploy. After that, SST would no longer need it.
s

Sam Hulick

10/22/2021, 10:49 PM
you’d need delete perms too, for when the stack has to change things that need removal
or just plain removing resources
it’s a lot of work, but i think anyone setting up CI/CD just has to test deploys locally using
--role-arn
and keep deploying over & over until all permission errors are gone
too bad AWS doesn’t have a tool to tell you what permissions you need, given a CFN template
f

Frank

10/22/2021, 10:51 PM
Yeah.. a pattern i’ve seen is that you give a relaxed set of permissions, and then use IAM Access Analyzer to generate a set of permissions that were actually being used. And update the policy with it.
s

Sam Hulick

10/22/2021, 10:51 PM
oh! I didn’t even know about that
I’ll bookmark that and check it out tomorrow. thanks!
2 Views