This message was deleted.
# aws
s
This message was deleted.
b
honestly, you’re going to be constantly playing whack-a-mole if you’re trying to chase Pulumi code -> IAM perms. I generally just give out admin perms Part of the reason for this is that every single modification of code is going to need a permission update which is I think what you’re seeing. A pretty common pattern I’ve seen is using an admin role in development, using iamlive to scope the perms and then for production, locking down the iam role
m
That makes a lot of sense, I agree. One middle ground is perhaps to assign more “freely” like `rds:*`if a repo needs rds or
s3:*
if it needs S3 access. After all assuming GitHub Actions (enterprise) are secure, main branch protected and we are using idp for actions it should be fairly unlikely that someone manages to do a lot of harm to our infrastructure.
Thanks for the input, appreciate it 👍