https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# aws
s
This message was deleted.
l
Not aware of one, though it'd be useful. You could either broaden your minimal-trust policy to "AWS recommended trust" and use the AWS managed policies (or the AWS managed - job function policies); or you can use set up a stack that runs with different creds in a dev account, and shorten the feedback loop by deploying there instead of via CI.
f
There's a couple tools out there, I'm trying to find the name, but one is essentially a local proxy that captures AWS calls, and another was like a mock aws API for terraform. Not sure if they would be helpful, but it was pretty cool looking
If you can run your stack in a test account with a fresh IAM user, you also might be able to use the aws access advisor
This was the aws emulator - https://github.com/localstack/localstack
Ah, the other tool was 
iamlive
https://github.com/iann0036/iamlive
So the idea is, run your pulumi against localstack while using 
iamlive
to output a policy
l
Wow, that iamlive idea is great. Have you used it? I wonder how easy it would be to get secops approval.. worth a shot, anyway.
f
I tried it. It's very cool. Definitely a security question mark or two about what it has access to, but Im not familiar with the underlying AWS mechanisms either. Trouble I had was getting my code to work with localstack. To be fair, I didn't spend a lot of time on it either.
l
I won't be bothering with LocalStack. I'm happy to deploy to a new real stack with 0 permissions, and see what happens... I wonder if there's a way to get Pulumi to try to create everything, even if everything fails... so we can see all the API requests :)
f
Excited to hear how how it goes!
l
@flat-laptop-90489 FYI, we have a separate #C026EE6N2VB channel where specific issues can be discussed.
👍 1
r
I’m thinking the list of permissions would depend on what you are asking Pulumi to do? for example if you’re asking Pulumi to create a bucket then you would need 
s3:CreateBucket
; otherwise you’re fine leaving that permission out. I bookmark https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html for purposes of investigating permissions. Just a little caveat that AWS docs aren’t necessarily great (for example, 
ListObjectsV2
is not mentioned at https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html !)… but it’s probably the best that we have
b
I’ve used iamlive a lot and it works fantastically
👍 1
f
I didn't know about 
iamlive
until i read this thread today. It's an amazing tool. thanks @flat-laptop-90489, I think it just saved a few hours of work. Would be awesome to at least mention the tool somewhere in the docs 🙂 I am sure it would save a lot of time for many people.
😄 1
2 Views
Open in Slack
PreviousNext
Powered by