Permission required for the server less deploy command

Question

When creating an IAM user/group to run the AWS_ACCESS_KEY_ID=x AWS_SECRET_ACCESS_KEY=y serverless deploy -v on aws lambda, what roles/permissions should be granted to that user/group ?

Answer 1

According to the Serverless Framework documentation,

To let the Serverless Framework access your AWS account, we're going to create an IAM User with Admin access, which can configure the services in your AWS account.

Note: In a production environment, we recommend reducing the permissions to the IAM User which the Framework uses. Unfortunately, the Framework's functionality is growing so fast, we can't yet offer you a finite set of permissions it needs (we're working on this).

In the production environment, IAMFullAccess, AWSLambdaFullAccess and CloudFormationFullAccess should be enough.

Answer 2

2022 update: Serverless.com now has an [at least partial] solution to determine a set of privileges that a diven deploy will require: https://www.serverless.com/blog/abcs-of-iam-permissions#managing-permissions-for-the-serverless-framework-user

tl;dr:

• it involves npm's Yeoman package and generator-serverless-policy
• This will create a JSON file in your working directory with permissions scoped to your service. It's not perfect, but it will get you closer.