Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
c
cold-sundown-35940
01/22/2023, 8:32 PMHi all!
I need to set up an IAM Policy for an IAM User, credentials of which I'd use for Pulumi.
So in my Pulumi code I'm setting up several services like Lambda, S3, ECR and IAM Policy/Roles and I want the Pulumi to have ONLY needed permissions and not anything else for those services.
I'm not completely aware of API calls that Pulumi uses for setting up those services and I tried AWS CloudTrail to track all API calls made to my IAM User username. I identified those API calls and tried to set up the IAM Policy with all of the API calls that were made by Pulumi.
However, I kept getting Access Denied error by Pulumi, so the list of API calls identified by AWS CloudTrail was incomplete. Identifying those permissions one by one seemed to be not a great idea and time-consuming task.
Any ideas of how to identify needed permissions for Pulumi when setting up IAM Policy? Is there any way to automatically identify them or the only way is to do it manually? I know that there are such services as AWS RAM, AWS Service Catalog or AWS Config, but I'm not sure if they can figure out all get, update, delete, list permissions on single run of Pulumi code.
Any help or advice is appreciated! Thanks in advance for any support 🙂
h
helpful-knife-18557
01/23/2023, 1:58 PMHi, I am a fellow user of Pulumi, so I will interested to see if there an a better way to do this,
But in my experience, setting IAM permission for a service like pulumi is no different than for any other purpose, meaning that, following least permission principle, you build you IAM policy based on the action you will be needing.
I usually start with the obvious and finish with trial an error. This usually result in a very minimal set of permission. The amount of trial and error as been fairly low. I will also sometime build the policy by hand and inspect the JSON output to make sure i get a sense of the minimal
resourceresource="*"s
stocky-restaurant-98004
01/23/2023, 7:56 PMIt's not really feasible in my experience to give any IaC tool less than full admin in AWS. Even Power User does not allow you to create IAM policies, and you'll absolutely need those in common usage scenarios, e.g. for deploying Lambda function.
What you can do to limit your security exposure is limit the number of humans with Full Admin.
c
cold-sundown-35940
01/24/2023, 11:20 AM@helpful-knife-18557 thanks for the answer! I've been answered that I can use tool like
iamlive@stocky-restaurant-98004 thanks for the answer!
yes, at the end of the day, I've come to the same conclusion. However, in my use case it was essential for me to have as less permissions as possible. Because the tool that I'm developing is using Pulumi to deploy something in the AWS account of the user that will be using my tool. And I wanted to create a sample policy for the users to use. Anyways, thanks a lot for help!