docs request: it would be awesome if the docs had ...
# ssts
Sam Hulick
10/22/2021, 8:40 PMdocs request: it would be awesome if the docs had the minimal IAM permissions needed to deploy an SST project
b
Blake E
10/22/2021, 8:42 PM+1 super useful
t
thdxr
10/22/2021, 8:44 PMI think we've had this request a few times, we have an issue for it but need to prioritize it. Think Frank was looking into it at some point
a
Adrián Mouly
10/22/2021, 8:49 PM@Sam Hulick just give it all the perms 😂 (I know you hate that).
s
Sam Hulick
10/22/2021, 9:00 PMha! yeah, probably not wise 🙂
f
Frank
10/22/2021, 10:45 PM
Yeah, we have a list of resource types in docs - https://docs.serverless-stack.com/managing-iam-credentials#additional-permissions
Frank
10/22/2021, 10:46 PM
And SST needs CREATE and UPDATE permissions on them.
Frank
10/22/2021, 10:48 PM
But i think it’s tricky to come up with the minimal permission up front b/c you need to give
s3:CreateBucket*s
Sam Hulick
10/22/2021, 10:49 PMyou’d need delete perms too, for when the stack has to change things that need removal
Sam Hulick
10/22/2021, 10:49 PMor just plain removing resources
Sam Hulick
10/22/2021, 10:50 PMit’s a lot of work, but i think anyone setting up CI/CD just has to test deploys locally using
--role-arnSam Hulick
10/22/2021, 10:50 PMtoo bad AWS doesn’t have a tool to tell you what permissions you need, given a CFN template
f
Frank
10/22/2021, 10:51 PM
Yeah.. a pattern i’ve seen is that you give a relaxed set of permissions, and then use IAM Access Analyzer to generate a set of permissions that were actually being used. And update the policy with it.
Frank
10/22/2021, 10:51 PM
s
Sam Hulick
10/22/2021, 10:51 PMoh! I didn’t even know about that
Sam Hulick
10/22/2021, 10:52 PMI’ll bookmark that and check it out tomorrow. thanks!
2 Views