问题
My team has a pipeline which runs under an execution IAM role. We want to deploy code to AWS through CloudFormation or the CDK.
In the past, we would upload some artifacts to S3 buckets before creating/updating our CloudFormation stack, using the execution IAM role.
We recently switched to the CDK, and are trying to get as much automated with using CDK Deploy as possible, but are running into a lot of permission items we need to add which we didn't have prior (for instance, cloudformation:GetTemplate).
We don't want to just grant * (we want to follow least privilege) but I can't find any clear documented list.
Is there a standard list of permissions that CDK Deploy relies on? Are there any "nice to have's" beyond a standard list?
回答1:
Since I couldn't find any documentation anywhere I had to do some trial and error to get this to work.
Apart from the permissions you need to create the actual resources you define in your stack, you need to give the following:
cloudformation:CreateChangeSet
cloudformation:DescribeChangeSet
cloudformation:ExecuteChangeSet
cloudformation:DescribeStackEvents
cloudformation:DeleteChangeSet
To the stack ARN you are creating, as well as the bootstrap stack:
arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/CDKToolkit/*
You also need s3 permissions to the bucket that the boostrap added (otherwise you get that dreaded Forbidden: null error):
s3:*Object
s3:ListBucket
to
arn:aws:s3:::cdktoolkit-stagingbucket-*
回答2:
I tried giving full cloudformation permissions
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "*"
}
but that's still not enough, this is the output of cdk deploy command using codebuild.
dev-MyStack
dev-MyStack: deploying...
❌ dev-MyStack failed: Forbidden: null
null
The only workaround i have atm is to give Administrator permission which is ofc not ideal
来源:https://stackoverflow.com/questions/57118082/what-iam-permissions-are-needed-to-use-cdk-deploy