https://pulumi.com logo
Title
c

cold-sundown-35940

01/22/2023, 8:32 PM
Hi all! I need to set up an IAM Policy for an IAM User, credentials of which I'd use for Pulumi. So in my Pulumi code I'm setting up several services like Lambda, S3, ECR and IAM Policy/Roles and I want the Pulumi to have ONLY needed permissions and not anything else for those services. I'm not completely aware of API calls that Pulumi uses for setting up those services and I tried AWS CloudTrail to track all API calls made to my IAM User username. I identified those API calls and tried to set up the IAM Policy with all of the API calls that were made by Pulumi. However, I kept getting Access Denied error by Pulumi, so the list of API calls identified by AWS CloudTrail was incomplete. Identifying those permissions one by one seemed to be not a great idea and time-consuming task. Any ideas of how to identify needed permissions for Pulumi when setting up IAM Policy? Is there any way to automatically identify them or the only way is to do it manually? I know that there are such services as AWS RAM, AWS Service Catalog or AWS Config, but I'm not sure if they can figure out all get, update, delete, list permissions on single run of Pulumi code. Any help or advice is appreciated! Thanks in advance for any support 🙂
h

helpful-knife-18557

01/23/2023, 1:58 PM
Hi, I am a fellow user of Pulumi, so I will interested to see if there an a better way to do this, But in my experience, setting IAM permission for a service like pulumi is no different than for any other purpose, meaning that, following least permission principle, you build you IAM policy based on the action you will be needing. I usually start with the obvious and finish with trial an error. This usually result in a very minimal set of permission. The amount of trial and error as been fairly low. I will also sometime build the policy by hand and inspect the JSON output to make sure i get a sense of the minimal
resource
needed for the policy. e.g. Sometime you have to use
resource="*"
on a specif set of access and AWS is pretty cryptic in its error message about it.
s

stocky-restaurant-98004

01/23/2023, 7:56 PM
It's not really feasible in my experience to give any IaC tool less than full admin in AWS. Even Power User does not allow you to create IAM policies, and you'll absolutely need those in common usage scenarios, e.g. for deploying Lambda function. What you can do to limit your security exposure is limit the number of humans with Full Admin.
c

cold-sundown-35940

01/24/2023, 11:20 AM
@helpful-knife-18557 thanks for the answer! I've been answered that I can use tool like
iamlive
https://github.com/iann0036/iamlive However, I still haven't had full list of needed permissions. But that can be quite useful in some cases! It's more convenient that other such tools.
@stocky-restaurant-98004 thanks for the answer! yes, at the end of the day, I've come to the same conclusion. However, in my use case it was essential for me to have as less permissions as possible. Because the tool that I'm developing is using Pulumi to deploy something in the AWS account of the user that will be using my tool. And I wanted to create a sample policy for the users to use. Anyways, thanks a lot for help!