No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Is there a best-practice on how to determine the required permissions on the cloud provider provisioning account used by Pulumi?

e.g. I'm working through the AWS tutorial examples, and I'm finding myself guessing at the required permissions -- editing permissions on the service account as tasks fail.

_I'm new to Pulumi, so I may be missing something obvious._

iamlive works well with Pulumi:
<https://github.com/iann0036/iamlive>

This looks perfect!

I am able to run iamlive, in proxy mode, and capture permissions for AWS CLI commands. But the Pulumi command is throwing an error about the x509 cert being signed by an unknown authority.

This makes sense, since I'm MITM'ing myself. But is there an easy work-around?

Just found the solution.

`iamlive` creates a self-signed key and stores it in `~/.iamlive`. By adding and trusting that cert within my local keychain, it started working as expected.

Thanks for the tip, <@UCWG26BH7>