Is there any recommended permissions to attach to a Pulumi IAM user, or do people just set

"*"

for everything on this user? In my head it makes sense that this user can do pretty much everything (except a very few items related to back office stuff), but I would love to hear input from other people on this 🙂

This highly depends on the environment, the least privilege principle is always the best but deployer roles often need much more so it requires some effort. This is IMO a good article providing at least some options https://meirg.co.il/2021/04/23/determining-aws-iam-policies-according-to-terraform-and-aws-cli/

@most-mouse-38002 One suggestion - put the principal in one account dedicated for this purpose and use Assume Role to deploy to your app environments. Our own @billowy-army-68599 has you covered with this excellent blog post for more info: https://leebriggs.co.uk/blog/2022/09/05/authenticating-to-aws-the-right-way

Thank you, this is useful stuff both of you 👍