Please document required IAM permissions for `up` command

realestate-com-au / stackup

a simple CLI and Ruby API for AWS CloudFormation

MIT License

97 stars 34 forks source link

Please document required IAM permissions for `up` command #50

Closed benhutchison closed 6 years ago

benhutchison commented 6 years ago

I'm porting a build onto stackup and are discovering one by one the IAM permissions that stackup's up command requires.

            "cloudformation:CreateStack",
            "cloudformation:UpdateStack",
            "cloudformation:DescribeStacks",
            "cloudformation:DescribeStackEvents",

Would be good to mention these (and any others Ive yet to discover) in the docs around credentials.

Dombo commented 6 years ago

Out of interest what approach are you using to grant the appropriate permissions required for a stack update?

Do you have a generic set of permissions that you extend per stack/logical unit?
Do you have an admin role that you let your CI assume?
Do you scope with tags & conditions?

Keen to hear a way I can manage this with a reasonable tradeoff between speed of development & principle of least privilege.