https://pulumi.com logo
Powered by
#aws
Title
# aws
g

gorgeous-insurance-82079

07/12/2022, 6:39 PM
Hey guys, I wonder if there is a more easy way to check what are the whole package of AWS Policy Permissions I need to add to my CI user in order to do both preview+deploy resources with Pulumi. The current situation causes me to do multiple cycles of permissions update -> run ci -> ci fails -> permissions update (and go on). If there is a solution/tools for that I’d be happy to try Thanks!
l

little-cartoon-10569

07/12/2022, 9:06 PM
Not aware of one, though it'd be useful. You could either broaden your minimal-trust policy to "AWS recommended trust" and use the AWS managed policies (or the AWS managed - job function policies); or you can use set up a stack that runs with different creds in a dev account, and shorten the feedback loop by deploying there instead of via CI.
f

flat-laptop-90489

07/12/2022, 9:31 PM
There's a couple tools out there, I'm trying to find the name, but one is essentially a local proxy that captures AWS calls, and another was like a mock aws API for terraform. Not sure if they would be helpful, but it was pretty cool looking
If you can run your stack in a test account with a fresh IAM user, you also might be able to use the aws access advisor
This was the aws emulator - https://github.com/localstack/localstack
Ah, the other tool was 
iamlive
https://github.com/iann0036/iamlive
So the idea is, run your pulumi against localstack while using 
iamlive
to output a policy
l

little-cartoon-10569

07/12/2022, 10:20 PM
Wow, that iamlive idea is great. Have you used it? I wonder how easy it would be to get secops approval.. worth a shot, anyway.
f

flat-laptop-90489

07/13/2022, 1:30 AM
I tried it. It's very cool. Definitely a security question mark or two about what it has access to, but Im not familiar with the underlying AWS mechanisms either. Trouble I had was getting my code to work with localstack. To be fair, I didn't spend a lot of time on it either.
l

little-cartoon-10569

07/13/2022, 1:34 AM
I won't be bothering with LocalStack. I'm happy to deploy to a new real stack with 0 permissions, and see what happens... I wonder if there's a way to get Pulumi to try to create everything, even if everything fails... so we can see all the API requests :)
f

flat-laptop-90489

07/13/2022, 2:34 AM
Excited to hear how how it goes!
l

limited-rainbow-51650

07/13/2022, 9:13 AM
@flat-laptop-90489 FYI, we have a separate #localstack channel where specific issues can be discussed.
👍 1
r

rhythmic-branch-12845

07/13/2022, 9:16 AM
I’m thinking the list of permissions would depend on what you are asking Pulumi to do? for example if you’re asking Pulumi to create a bucket then you would need 
s3:CreateBucket
; otherwise you’re fine leaving that permission out. I bookmark https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html for purposes of investigating permissions. Just a little caveat that AWS docs aren’t necessarily great (for example, 
ListObjectsV2
is not mentioned at https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html !)… but it’s probably the best that we have
b

billowy-army-68599

07/13/2022, 4:02 PM
I’ve used iamlive a lot and it works fantastically
👍 1
f

future-refrigerator-88869

07/13/2022, 10:36 PM
I didn't know about 
iamlive
until i read this thread today. It's an amazing tool. thanks @flat-laptop-90489, I think it just saved a few hours of work. Would be awesome to at least mention the tool somewhere in the docs 🙂 I am sure it would save a lot of time for many people.
😄 1
Powered by