0

I am trying Pulumi and going through the tutorial to deploy a static website on AWS.

https://www.pulumi.com/docs/iac/get-started/aws/

There is no mention of the permissions to give via IAM (currently 945 available). I don't want to open up my access, so how do I determine what permissions to use with any particular project on AWS w/Pulumi?

Improve this question

1 Answer 1

Reset to default
0

Usually, I start with broad permissions, by using either AWS-managed policies, like AmazonS3FullAccess, AmazonEC2FullAccess, or by specifying s3:*, ec2:*, etc. I go through the IaC template and make a best guess based on the resources that will be created.

The AWS Console's policy editor is also pretty useful when it comes to selecting permissions.

Then, I use iamlive or IAM Access Analyzer policy generation to generate a least-privileged policy based on the API calls that the user or role has made.

Note that you need to enable CloudTrail first before you start using the user/role in order to log their API calls and to let IAM Access Analyzer use it.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks, none of this seems to be in the Pulumi docs, or did I miss something?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.