Determine IAM requirements for Cloudformation Stack
I'm currently developing and launching a relatively simple cloudformation stack. Just some simple RDS stuff, triggered through and external CI+CD service.
However, my current cycle for development is incredibly inefficient, purely because I don't understand what the IAM permissions need to be for the Continuous Integration IAM group I set up.
I'll try runing the deployment of the Cloudformation template, only to get some error setting something up and start a rollback. The rollback will then fail, because it requires a different permission to remove what it's managed to create so far. I add the two new permissions I've discovered, delete the stack because it's in the ROLLBACK_FAILED
state, and try again.
I can just wildcard all the permissions for all the services I need, but that can't be best practice when handing some AWS credentials to an external service.
Because of this. Is there a way to know what IAM Permissions I specifically need to set up based on a cloudformation template? Alternatively, is there some list of IAM permissions expected for each Cloudformation Resource? Am I being too pedantic about trying to limit as many permissions as possible? Or am I forever doomed to this trial of IAM permission tuning?
There is a work around for this which I love. It is:
- Login with a specific test user
- Create the resources manually from console using this user
- Go to CloudTrail and watch the events history and observe the values of `eventName.
This eventName
corresponds exactly to the API call names from boto3 and to Action in IAM policies for the related permission. So you would know all the steps that need to be done in order to create a specific type of resource.
Next you only need to remember and understand the CloudFormation actions itself and that's it.
I've had the exact same question myself but couldn't find the answer I wanted.
Instead, I've drawn a diagram which contains all the relevant parts, thought about each part in terms of:
- What does it need to do?
- Which resources does it touch/manage?
Then, for each part of the diagram I've compiled a list of IAM access I thought would be required and wrote a specific policy which contains everything which would be needed.
Then I replayed CloudFormation stack creation, and I still missed some permissions but mostly was already covered by the policy I created.
I hope my answer helps you.