14
Minimal IAM permissions for AWS CDK deployments
source link: https://alexanderzeitler.com/articles/minimal-iam-permission-for-aws-cdk-deployment/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Alexander Zeitler
Minimal IAM permissions for AWS CDK deployments
Published on Wednesday, September 30, 2020
AWS CDK is leveraging AWS CloudFormation to deploy Stacks in AWS.
In addition, AWS CDK may require some data which is being stored in a S3 Bucket named cdktoolkit-stagingbucket-*.
This is the IAM policy IAM assigning to a AWS IAM group which should be able to deploy resources via AWS CDK. Of course, depending on the resources you want to deploy, you need further IAM permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "s3:*",
"Resource": "arn:aws:s3:::cdktoolkit-stagingbucket-*",
"Effect": "Allow"
}
]
}The policy gives full access to CloudFormation and all S3 Buckets named cdktoolkit-stagingbucket-*.
Another option is to additionally grant full access for all resources and their actions if the action has been triggered by CloudFormation (or CDK):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"cloudformation.amazonaws.com"
]
}
},
"Action": "*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "s3:*",
"Resource": "arn:aws:s3:::cdktoolkit-stagingbucket-*",
"Effect": "Allow"
}
]
}Handle with care...
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK