Menu
I want to use CloudFormation. package and deploy functions but how do I go about determining what IAM permissions are required to run these?
In general, how do I determine what permissions are required?
671
AWS CloudFormation actions The policy grants permissions to all DescribeStack API actions listed in the Action element. If you don't specify a stack name or ID in your statement, you must also grant the permission to use all resources for the action using the * wildcard for the Resource element.
A service role is an AWS Identity and Access Management (IAM) role that allows AWS CloudFormation to make calls to resources in a stack on your behalf. You can specify an IAM role that allows AWS CloudFormation to create, update, or delete your stack resources.
To help you understand the permissions defined in a policy, each AWS service's actions are categorized in four access levels: List, Read, Write, and Permissions management. You can select a predefined policy managed by AWS or create your own using the policy generator.
Based on the fact that you are using this for Lambda, I'm guessing that this is related to your other question CloudFormation to setup CodePipeline/CodeBuild to deploy SAM application.
In the answer to that question I referenced an Example CloudFormation Template. If you look at the CloudFormationServicePolicy from that example, you will likely find everything you need.
For the answer to this specific question though, there are two parts
To package you'll need:
ArtifactBucket)s3:PutObject permissions for the user to the ArtifactBucket
To deploy is much harder to answer. In the above referenced CloudFormationServicePolicy you can find a full set of permissions we use with CloudFormation to deploy a function. At the very least, you'll need:
iam:PassRole (assuming you're passing an existing role)lambda:CreateFunctionlambda:UpdateFunctionCodelambda:UpdateFunctionConfigurationlambda:AddPermissionlambda:GetEventSourceMappinglambda:CreateEventSourceMappinglambda:DeleteEventSourceMappingIf you're doing your deploy through the console, you'll likely also need:
iam:GetRoleiam:ListRolelambda:GetFunctionlambda:GetFunctionConfiguration
140
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
