https://pulumi.com logo
Title
m

most-mouse-38002

01/27/2023, 11:10 AM
Is there any recommended permissions to attach to a Pulumi IAM user, or do people just set
"*"
for everything on this user? In my head it makes sense that this user can do pretty much everything (except a very few items related to back office stuff), but I would love to hear input from other people on this 🙂
g

great-sunset-355

01/27/2023, 1:31 PM
This highly depends on the environment, the least privilege principle is always the best but deployer roles often need much more so it requires some effort. This is IMO a good article providing at least some options https://meirg.co.il/2021/04/23/determining-aws-iam-policies-according-to-terraform-and-aws-cli/
s

stocky-restaurant-98004

01/27/2023, 3:33 PM
@most-mouse-38002 One suggestion - put the principal in one account dedicated for this purpose and use Assume Role to deploy to your app environments. Our own @billowy-army-68599 has you covered with this excellent blog post for more info: https://leebriggs.co.uk/blog/2022/09/05/authenticating-to-aws-the-right-way
m

most-mouse-38002

01/27/2023, 4:31 PM
Thank you, this is useful stuff both of you 👍