Hi. I'm creating an AWS IAM user for Pulumi, but with the intent to only run

pulumi preview

. What is the appropriate permission to give to this user? Given that it will just "read"/"describe" elements on the infra, it won't change anything.

Something like

arn:aws:iam::aws:policy/job-function/ViewOnlyAccess

Thanks @stocky-restaurant-98004. It worked with

arn:aws:iam::aws:policy/job-function/ViewOnlyAccess

plus privileges to use KMS to decrypt secrets. Many thanks.

You're most welcome! Please don't hesitate to reach out if you have any more trouble.