Open ondrejmirtes opened 3 years ago
I've went through the same process and can't agree more.
IAM is complex and IMO Serverless Framework does a poor job at pointing you in the right direction (or I'm not aware of it). They even recommend creating a user with Administrator Access
in there docs.
I'm not sure what's the best practise in this field right now but what I've done so far is generating a user with the least permissions I can come up with. And yes this is trial & error each time.
I also know you can make Cloudformation assume a role when deploying but that wouldn't help with your static files upload problem here.
I think the required permissions to use and deploy a construct could be documented but there would still be a missing piece in Serverless Framework.
It would be nice for serverless framework to have a command that looks at what would be deployed and generates the proper IAM permission document for deployment (and them sending an event so that Lift can hook into the process and add its own to the mix).
Hope that makes sense. Would love to hear thoughts on this.
Yes, yes and yes.
We've discussed it several times internally at Serverless, and it's a tough problem to solve. No tools, as far as we know, has a magic solution for this.
One idea we may want to explore is:
But, as you can guess, this is a lot of work. I'm curious what you think about that approach, or if you have anything else in mind.
For those stumbling on this discussion feel free to add a 👍 to the issue: that helps us gauge interest and prioritize the roadmap.
Hi, I really appreciate how Lift helps me to remove some repeating work when deploying a static website, but one chore still remains - creating an AWS IAM user with the right permissions to deploy the site from my CI/CD pipeline.
What I usually do is a trial-and-error procedure of creating a user and adding more and more permissions until my deployment is successful. Is there an easier way? Is it documented?
Thank you!