dcroote
commented
3 months ago The below permissions policies ultimately allowed me to deploy an Airnode from the latest master commit with a dev deployer image (741f3140384c4afb7a4b9906db7e6b1d606e06fc), complete blockchain, HTTP gateway, and HTTP signed gateway requests, and then remove the Airnode.
Note that the above s3 permissions were invalid (e.g. Command shouldn't be in the names), and a lot more were needed that I discovered through repeated deployment failure e.g.
Failed to list S3 buckets: AccessDenied: Access Deniedrequired "s3:ListAllMyBuckets"
then
Failed to store file 'config/config.json' to S3 bucket '<redacted>': AccessDenied: Access Deniedneeded "s3:GetObject" and "s3:PutObject", and on and on through the various services.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:CreateBucket",
"s3:PutEncryptionConfiguration",
"s3:GetObject",
"s3:PutObject",
"iam:CreateRole",
"iam:TagRole",
"iam:GetRole",
"iam:DeleteRole",
"iam:ListRolePolicies",
"iam:ListAttachedRolePolicies",
"iam:GetRolePolicy",
"iam:DeleteRolePolicy",
"iam:PassRole",
"iam:ListInstanceProfilesForRole",
"iam:PutRolePolicy",
"logs:CreateLogGroup",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups",
"logs:ListTagsLogGroup",
"logs:DeleteLogGroup",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:DeleteFunction",
"lambda:CreateFunction",
"lambda:GetFunction",
"lambda:GetFunctionCodeSigningConfig",
"lambda:ListVersionsByFunction",
"lambda:GetPolicy",
"apigateway:GET",
"apigateway:POST",
"apigateway:PATCH",
"apigateway:PUT",
"apigateway:DELETE",
"events:PutRule",
"events:DescribeRule",
"events:DeleteRule",
"events:ListTagsForResource",
"events:ListTargetsByRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": "*"
}
]
}
While the docs provides a high level overview of the cloud resources used in a deployment, we should define the specifics.
From @metobom: Can someone confirm if the below permissions are enough?