Ok answered my own question, not as magical as I thought - looks like lambda and ecs just get very open policies assigned to them.
04/15/2019, 1:34 PM
Yes - by default. You can customize the default roles via configuration variables. With the Lambda support in the
package, you can easily customize roles on a per-function basis as well.
04/15/2019, 2:03 PM
Thanks Luke, yeah I'm going with the awsx/aws packages for now. Are there any plans for pulumi cloud to "intelligently" apply the minimum required permissions based on how components are being used together?
04/15/2019, 3:33 PM
I can’t find the issue right now - but we have looked into computing minimum permissions based on captures references to specific resources. This should be possible, though you would often need to augment if you are also accessing things defined outside of Pulumi. If you want to open an issue to track, I’ll add some notes on how we’ve thought about doing this.