search

aws / aws-sam-cli

CLI tool to build, test, debug, and deploy Serverless applications using AWS SAM
https://aws.amazon.com/serverless/sam/
Apache License 2.0
6.5k stars 1.17k forks source link

Provide IAM guidance with regards to SAM permissions required to develop/deploy Lambdas #2601

Open xirkus opened 3 years ago

xirkus commented 3 years ago

Describe your idea/feature/enhancement

Currently, it seems that SAM requires iam:CreateRole for a profile when attempting to run sam deploy --guided. It would be useful if the SAM CLI were able to query an AWS profile's capabilities to see if deployment can proceed. As a consequence of failed deployment, the Cloudformation stack must also be manually deleted.

Proposal

There are a few things that would improve the developer experience in this regard:

  1. Provide the AWS profile being used for the sam deploy in the output.
  2. Provide a subcommand (or include it in the deployment workflow) where the AWS profile capabilities are checked prior to running the deployment.
  3. Provide a way to clean up Cloudformation resources when a deployment fails due to a permission issue.
  4. Provide guidance with regards to the required permissions to succeed on the deployment operation.

Things to consider: [ ] The SAM documentation will need to be updated

Additional Details

The lack of feedback in the tool impacts the developer UX and adoptability of AWS SAM.

jfuss commented 3 years ago

Transferring to correct repo.

sriram-mv commented 3 years ago

Here is a list of SAM permissions : https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-permissions.html which should be relevant.

xirkus commented 3 years ago

thanks @sriram-mv!

matthewjosephtaylor commented 2 years ago

Dealing with this exact problem right now. +1 on getting the list of permissions into the documentation.

Also to anyone else going through the deploy->fail->add-permission->deploy->fail>.... loop one will also get a cryptic error like

Waiter StackCreateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "ROLLBACK_FAILED" at least once

The trick here is to delete the stuck CloudFormation stack by hand in the web-console before trying to deploy again.

MisterGlass commented 1 year ago

+1 to this. Lack of information on what is required has forced us to be overpermissive in dangerous ways.

Edit: I had capabilities = "CAPABILITY_IAM" in my settings, which made SAM deploy require a bunch of IAM privileges even if it wasn't changing anything in IAM.