This message was deleted.

Hi, I am a fellow user of Pulumi, so I will interested to see if there an a better way to do this, But in my experience, setting IAM permission for a service like pulumi is no different than for any other purpose, meaning that, following least permission principle, you build you IAM policy based on the action you will be needing. I usually start with the obvious and finish with trial an error. This usually result in a very minimal set of permission. The amount of trial and error as been fairly low. I will also sometime build the policy by hand and inspect the JSON output to make sure i get a sense of the minimal

resource

needed for the policy. e.g. Sometime you have to use

resource="*"

on a specif set of access and AWS is pretty cryptic in its error message about it.

It's not really feasible in my experience to give any IaC tool less than full admin in AWS. Even Power User does not allow you to create IAM policies, and you'll absolutely need those in common usage scenarios, e.g. for deploying Lambda function. What you can do to limit your security exposure is limit the number of humans with Full Admin.

@helpful-knife-18557 thanks for the answer! I've been answered that I can use tool like

iamlive

https://github.com/iann0036/iamlive However, I still haven't had full list of needed permissions. But that can be quite useful in some cases! It's more convenient that other such tools.