How do I identify what IAM permissions are required for AWS CloudFormation?

Question

I want to use CloudFormation. package and deploy functions but how do I go about determining what IAM permissions are required to run these?

In general, how do I determine what permissions are required?

Answer 1

Based on the fact that you are using this for Lambda, I'm guessing that this is related to your other question CloudFormation to setup CodePipeline/CodeBuild to deploy SAM application.

In the answer to that question I referenced an Example CloudFormation Template. If you look at the CloudFormationServicePolicy from that example, you will likely find everything you need.

---

For the answer to this specific question though, there are two parts

To package you'll need:

• A Deployment Artifact bucket (ArtifactBucket)
• s3:PutObject permissions for the user to the ArtifactBucket

To deploy is much harder to answer. In the above referenced CloudFormationServicePolicy you can find a full set of permissions we use with CloudFormation to deploy a function. At the very least, you'll need:

• iam:PassRole (assuming you're passing an existing role)
• lambda:CreateFunction
• lambda:UpdateFunctionCode
• lambda:UpdateFunctionConfiguration
• lambda:AddPermission
• lambda:GetEventSourceMapping
• lambda:CreateEventSourceMapping
• lambda:DeleteEventSourceMapping

If you're doing your deploy through the console, you'll likely also need:

• iam:GetRole
• iam:ListRole
• lambda:GetFunction
• lambda:GetFunctionConfiguration