IAM policy for deploy

[serhiiromaniuk]

Hi folks!

I am writing to you with a problem of running deploy-serverless.
I do not want give my user admin permissions. Also going to use much more package functionality.
So, I creating each time dynamic users based on specific policy. But I cannot find any IAM policy documentation for each CLI run, that each command needs.
Alternative hard solution -- code deep dive and analyzation.

Could you please provide me any information regarding each command IAM permission policy set?

[ashishdhingra]

@serhiiromaniuk The command lambda deploy-serverless at high level does the following (refer DeployServerlessCommand):

• Validates the S3 bucket region.
• Uploads the processed CloudFormation template to S3 bucket.
• Describes existing CloudFormation stack with the name passed to the command.
• Create S3 presigned URL if the template was uploaded to S3 bucket.
• Create/Update CloudFormation changeset.
• Query the changeset.
• Create CloudFormation resources (by submitting changeset request)

You should have appropriate read/write access to the following services: AWS CloudFormation, IAM, Lambda, Amazon API Gateway, Amazon Simple Storage Service (Amazon S3), and Amazon Elastic Container Registry (Amazon ECR). The required permissions should closely match with the ones documented under Grant specific IAM permissions at AWS Serverless Application Model > Permissions. It is recommended you test the permissions in the test/staging environment before implementing the same for IAM user in production.

Thanks,
Ashish

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.