Document what exact AWS-managed policies are needed for the access key

rails-lambda / lamby

🐑🛤 Simple Rails & AWS Lambda Integration

https://lamby.cloud

MIT License

602 stars 29 forks source link

Document what exact AWS-managed policies are needed for the access key #152

Closed tcannonfodder closed 1 year ago

tcannonfodder commented 1 year ago

Because creating a root access key feels like A Bad Idea (especially when experimenting), it would be great if the docs outlined exactly which AWS-managed are needed for the access key, so someone can make a minimally-scoped access key when trying out the project

metaskills commented 1 year ago

Because installing a root access key feels like A Bad Idea...

Agreed. But I'm not sure I'm following you on what we are doing badly or what "installing" means here. Are you thinking the aws configure is installing AWS crews in the container shipped to prod?

Also, have you see the full deployment guides where we advocate for (post experimenting) a least privilege user or Open ID Connect for the CI/CD pipeline? https://lamby.custominktech.com/docs/anatomy#deployment--cicd

tcannonfodder commented 1 year ago

Sorry, I just had my first cup of coffee, so I'm still booting up 😅

Sorry about the confusion here; I don't think aws configure is actually installing the credentials to production.

The process I went through was:

Work through the Quick Start Guide
Get to the aws configure step
Realize I need to get a new AWS account for personal experimenting. And also know that I don't want to just have a root access key lying around, so I want to make a user + group permissions for this experiment.
Realize there isn't documentation in this page about what permissions are actually needed to make the deployment according to the quick start guide
Lose a lot of time navigating the Vogon directory of AWS permissions

tcannonfodder commented 1 year ago

I hadn't seen that section of the documentation; maybe we should link to it & expand it, or make it its own section ("Securing your deployment process")?

Also, thank you for the work on this project! It's very interesting; and you've got a lot of work to make the bootstrapping as painless as possible 😄 (and I know I went off the beaten path a bit here 😜)

metaskills commented 1 year ago

No worries. Thank you so much for trying it out. Indeed, #3-5 🤣 is not really in scope here. But such a good idea. I did that a few years ago too and it was kind of a scary pain. My AWS account is old as dirt.

Anyways, I updated this little section a little. Do you think this is helpful? https://lamby.custominktech.com/docs/quick-start#deploy-to-lambda

tcannonfodder commented 1 year ago

It is! That little signpost is perfect. 😄