Provide Required IAM Permissions for Command in "Help"

[reskin89]

Is your feature request related to a problem? Please describe. Not a blocker type problem, but in many situations, users like to limit a role or custom policy to only the required permissions for the resource invoking it. Generally the SDK's methods lineup with the AWS CLI commands (which is a great thing!), however this often leads to sometimes messing around with permissions found in the policy permissions tables in the AWS docs (such as a lot of permissions to get things like EC2 instance information, also require the list permission etc etc).

Describe the solution you'd like When invoking aws RESOURCE ACTION help it would be nice if in the man page documentation, there was a note or section of required IAM permissions, so that it is easy to see what permissions you, or your role may need to execute this.

Describe alternatives you've considered NA

Additional context NA

[kdaily]

Hi @reskin89, thanks!

That's an interesting idea. Adding some of my own research and context into this issue, you might already be aware of some of these things!

I think what you mean by:

Generally the SDK's methods lineup with the AWS CLI commands

is running something like aws ec2 describe-instances means you need a policy that allows the ec2:DescribeInstances action, and these are straightforward.

Some actions have a flag parameter --dry-run that says:

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.

However, it would still be trial and error to determine the required permissions.

Others (like aws s3 sync) have a --dry-run flag that doesn't say anything about checking permissions.

Some actions (like aws kinesisanalytics add-application-output) explicitly state the permissions required. Some actions (like aws ds add-ip-routes discuss in the docs and then link to the API reference or user guide.

Last, higher level CLI features ( like aws s3 sync) make multiple requests, and you would need permissions for each one of these - determining those ahead of time is not straightforward either.

Long story short, there are many different ways that a user might determine the permissions needed - some within existing documentation, and some not.

[reskin89]

@kdaily while I’m aware of those other methods, there is a lack of centralized locations for this.

My SDK comment was merely that being within the aws cli would give us as devs a quick tool to check what permissions a role may require, without having to use a great deal of steps to check (such as creating a policy and another IAM user to test it locally with etc). At times the dry run methodology and just relying on errors also isn’t always clear or concise. With how granular IAM can be, there can be a decent chunk of time fiddling with roles so that you can be certain you’re providing a least privileged role to a resource or sts token.

[kdaily]

@reskin89,

I agree! 👍 Having a consistent, centralized way to determine the required permissions would be a useful feature. Thanks!

[AaronCoquet-Easypark]

Has there been any movement on this? I'm in the "trial-and-error" step right now for scheduling a Redshift Cluster resize.

[srothwell01]

Has there been any movement on this? I'm in the "trial-and-error" step right now

Likewise. This seems like a gap in the public-facing documentation that would be a really useful quality of life improvement