I need to set up an IAM Policy for an IAM User, credentials of which I'd use for Pulumi.
So in my Pulumi code I'm setting up several services like Lambda, S3, ECR and IAM Policy/Roles and I want the Pulumi to have ONLY needed permissions and not anything else for those services.
I'm not completely aware of API calls that Pulumi uses for setting up those services and I tried AWS CloudTrail to track all API calls made to my IAM User username. I identified those API calls and tried to set up the IAM Policy with all of the API calls that were made by Pulumi.
However, I kept getting Access Denied error by Pulumi, so the list of API calls identified by AWS CloudTrail was incomplete. Identifying those permissions one by one seemed to be not a great idea and time-consuming task.
Any ideas of how to identify needed permissions for Pulumi when setting up IAM Policy? Is there any way to automatically identify them or the only way is to do it manually? I know that there are such services as AWS RAM, AWS Service Catalog or AWS Config, but I'm not sure if they can figure out all get, update, delete, list permissions on single run of Pulumi code.
Any help or advice is appreciated! Thanks in advance for any support 🙂