Hey guys, I wonder if there is a more easy way to check what are the whole package of AWS Policy Permissions I need to add to my CI user in order to do both preview+deploy resources with Pulumi. The current situation causes me to do multiple cycles of permissions update -> run ci -> ci fails -> permissions update (and go on). If there is a solution/tools for that I’d be happy to try Thanks!

Not aware of one, though it'd be useful. You could either broaden your minimal-trust policy to "AWS recommended trust" and use the AWS managed policies (or the AWS managed - job function policies); or you can use set up a stack that runs with different creds in a dev account, and shorten the feedback loop by deploying there instead of via CI.

There's a couple tools out there, I'm trying to find the name, but one is essentially a local proxy that captures AWS calls, and another was like a mock aws API for terraform. Not sure if they would be helpful, but it was pretty cool looking

Wow, that iamlive idea is great. Have you used it? I wonder how easy it would be to get secops approval.. worth a shot, anyway.

I tried it. It's very cool. Definitely a security question mark or two about what it has access to, but Im not familiar with the underlying AWS mechanisms either. Trouble I had was getting my code to work with localstack. To be fair, I didn't spend a lot of time on it either.

I won't be bothering with LocalStack. I'm happy to deploy to a new real stack with 0 permissions, and see what happens... I wonder if there's a way to get Pulumi to try to create everything, even if everything fails... so we can see all the API requests :)

Excited to hear how how it goes!

@flat-laptop-90489 FYI, we have a separate #localstack channel where specific issues can be discussed.

I’m thinking the list of permissions would depend on what you are asking Pulumi to do? for example if you’re asking Pulumi to create a bucket then you would need

s3:CreateBucket

; otherwise you’re fine leaving that permission out. I bookmark https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html for purposes of investigating permissions. Just a little caveat that AWS docs aren’t necessarily great (for example,

ListObjectsV2

is not mentioned at https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html !)… but it’s probably the best that we have

I’ve used iamlive a lot and it works fantastically

I didn't know about

iamlive

until i read this thread today. It's an amazing tool. thanks @flat-laptop-90489, I think it just saved a few hours of work. Would be awesome to at least mention the tool somewhere in the docs 🙂 I am sure it would save a lot of time for many people.