https://pulumi.com logo
Join Slack
Powered by
Is there a method for inferring a project's IAM pe...
# general
b
Is there a method for inferring a project's IAM permission requirements from code or state and outputting a policy document with least privilege required to deploy the resources?
l
AWS provides a view that helps with that, rather than Pulumi. You can use the appropriate role's or user's Access Advisor tab in the AWS Console. You should run an up, preview and destroy, then check what permissions were used.
It might not be 100% accurate for all cases, since it is possible that slightly different permissions might be needed for refreshes, updates, etc. But that will give you 95% or more of what you need.
b
nice. This is very useful, thanks. I guess this would require a user/role to be specific to the purpose to isolate only the calls relevant to the given project...
l
Prefer a role over a user (most accounts should have no users at all). Whichever role(s) you have associated with your AWS provider(s).
b
yes roles > users. But at the end of the day, there has to be a user/access key somewhere which Assumes roles.... ?
l
I recommend using a specific Pulumi-only role that your user / SSO role / whatever can assume. Initially, give it admin privs. Run 
pulumi up
using that role. Check what permissions it used.
How you get to the role that is used when Pulumi is deploying is up to you and your org's policies.
We use OICD for CI-triggered deployments, and SSO for user-triggered deployments. So no users at all. But it might be different for you.
b
OpenID Connect?
l
Yes.
c
^ just be aware that different privs may be needed for create vs update of resources. It's always a game of whack-a-mole..
b
CRUDy
l
Yes, you won't get it right first time. Or indeed, for the first few weeks, probably 🙂 You'll need to recognize the errors caused by insufficient privileges, and how to remediate.
b
Yep. I like the Access Advisor approach you mentioned. Thanks 👍
Open in Slack
PreviousNext
Powered by