does anyone have thoughts on this? I imagine this ...
# general
does anyone have thoughts on this? I imagine this is a pretty standard concern for adding pulumi to CI/CD:
Have you taken a look at Pulumi Deployments (#pulumi-deployments) and ESC (#esc) ? Both of them have support for generating single use short term credentials per deployment that can be scoped down to a specific AWS role.
I think the devil in the detail here is defining the role policy, rather than assuming the role
e.g. I can't see in either of those solutions mentioned where it maps a resource (for example
) to a set of required permissions to provision for the AWS role
A common pattern is to deploy in dev - use IAM Analyzer / Cloudtrail /
to show the actual Actions and resources, generate Policy from that. It is a little surprising in the TF ecosystem there's not a better static analysis way to do this, but AWS makes it difficult.
That would be a nice pattern to be able to automate, and even have the providers publish these themselves Often I find I've provisioned the right permissions to create/update and then when I go to replace or delete I get a bunch of permission errors
IAM Analyzer / Cloudtrail is also my recommendation. AWS does make it difficult. S3 in particular is really bad, when you create an S3 bucket you need many other permissions