Determine IAM requirements for Cloudformation Stack

amazon-web-services amazon-cloudformation amazon-iam

I'm currently developing and launching a relatively simple cloudformation stack. Just some simple RDS stuff, triggered through and external CI+CD service.

However, my current cycle for development is incredibly inefficient, purely because I don't understand what the IAM permissions need to be for the Continuous Integration IAM group I set up.

I'll try runing the deployment of the Cloudformation template, only to get some error setting something up and start a rollback. The rollback will then fail, because it requires a different permission to remove what it's managed to create so far. I add the two new permissions I've discovered, delete the stack because it's in the ROLLBACK_FAILED state, and try again.

I can just wildcard all the permissions for all the services I need, but that can't be best practice when handing some AWS credentials to an external service.

Because of this. Is there a way to know what IAM Permissions I specifically need to set up based on a cloudformation template? Alternatively, is there some list of IAM permissions expected for each Cloudformation Resource? Am I being too pedantic about trying to limit as many permissions as possible? Or am I forever doomed to this trial of IAM permission tuning?


There is a work around for this which I love. It is:

  1. Login with a specific test user
  2. Create the resources manually from console using this user
  3. Go to CloudTrail and watch the events history and observe the values of `eventName.

This eventName corresponds exactly to the API call names from boto3 and to Action in IAM policies for the related permission. So you would know all the steps that need to be done in order to create a specific type of resource.

Next you only need to remember and understand the CloudFormation actions itself and that's it.


I've had the exact same question myself but couldn't find the answer I wanted.

Instead, I've drawn a diagram which contains all the relevant parts, thought about each part in terms of:

- What does it need to do?
- Which resources does it touch/manage?

Then, for each part of the diagram I've compiled a list of IAM access I thought would be required and wrote a specific policy which contains everything which would be needed.

Then I replayed CloudFormation stack creation, and I still missed some permissions but mostly was already covered by the policy I created.

I hope my answer helps you.

Related

Uwsgi and flask with unix socket instead of URL
Automator action not supplied with the required data
iOS WriteRoom editor feature replacement?
Power suply Watts and charging time - Apple iphone
How can I make iTerm2 *cd* into a directory by clicking on *ls* results?
Traveling to US - Do I need to step up / down for Macbook Pro (2016)
Show header only on first page on Pages
How can I use my MacBook Pro (Retina, 13-inch, Mid 2014) with the LG UltraFine 4K display?
Applescript error -1708 when calling a function
Customise iTerm sudo password prompt
Open multiple urls from Terminal
Open a new terminal tab from the current terminal using command