# general


09/26/2023, 11:20 PM
When using a KMS key as a stack secret provider for pulumi, what's the minimum IAM action permission required? I currently have
but would like to narrow it down.


09/27/2023, 12:38 AM
I don't know off-hand, but the best way to figure this out is to us IAM's Access Advisor. This works only via a role, so you need to use an assumed role for your backend's credentials. If you're not already doing this (e.g. you're using access key id and secret ley), then you can do this by using an AWS profile with the role_arn and source_profile properties. Use this as your default profile, since that's what Pulumi uses for your backend. Once you've got this set up, you can perform all your normal operations a few times, then view your role's access advisor in the IAM console. Remove everything that isn't listed there.