{ | |
"Statement": [ | |
{ | |
"Action": [ | |
"apigateway:*", | |
"cloudformation:CancelUpdateStack", | |
"cloudformation:ContinueUpdateRollback", | |
"cloudformation:CreateChangeSet", | |
"cloudformation:CreateStack", | |
"cloudformation:CreateUploadBucket", | |
"cloudformation:DeleteStack", | |
"cloudformation:Describe*", | |
"cloudformation:EstimateTemplateCost", | |
"cloudformation:ExecuteChangeSet", | |
"cloudformation:Get*", | |
"cloudformation:List*", | |
"cloudformation:UpdateStack", | |
"cloudformation:UpdateTerminationProtection", | |
"cloudformation:ValidateTemplate", | |
"dynamodb:CreateTable", | |
"dynamodb:DeleteTable", | |
"dynamodb:DescribeTable", | |
"dynamodb:DescribeTimeToLive", | |
"dynamodb:UpdateTimeToLive", | |
"ec2:AttachInternetGateway", | |
"ec2:AuthorizeSecurityGroupIngress", | |
"ec2:CreateInternetGateway", | |
"ec2:CreateNetworkAcl", | |
"ec2:CreateNetworkAclEntry", | |
"ec2:CreateRouteTable", | |
"ec2:CreateSecurityGroup", | |
"ec2:CreateSubnet", | |
"ec2:CreateTags", | |
"ec2:CreateVpc", | |
"ec2:DeleteInternetGateway", | |
"ec2:DeleteNetworkAcl", | |
"ec2:DeleteNetworkAclEntry", | |
"ec2:DeleteRouteTable", | |
"ec2:DeleteSecurityGroup", | |
"ec2:DeleteSubnet", | |
"ec2:DeleteVpc", | |
"ec2:Describe*", | |
"ec2:DetachInternetGateway", | |
"ec2:ModifyVpcAttribute", | |
"events:DeleteRule", | |
"events:DescribeRule", | |
"events:ListRuleNamesByTarget", | |
"events:ListRules", | |
"events:ListTargetsByRule", | |
"events:PutRule", | |
"events:PutTargets", | |
"events:RemoveTargets", | |
"iam:AttachRolePolicy", | |
"iam:CreateRole", | |
"iam:DeleteRole", | |
"iam:DeleteRolePolicy", | |
"iam:DetachRolePolicy", | |
"iam:GetRole", | |
"iam:PassRole", | |
"iam:PutRolePolicy", | |
"iot:CreateTopicRule", | |
"iot:DeleteTopicRule", | |
"iot:DisableTopicRule", | |
"iot:EnableTopicRule", | |
"iot:ReplaceTopicRule", | |
"kinesis:CreateStream", | |
"kinesis:DeleteStream", | |
"kinesis:DescribeStream", | |
"lambda:*", | |
"logs:CreateLogGroup", | |
"logs:DeleteLogGroup", | |
"logs:DescribeLogGroups", | |
"logs:DescribeLogStreams", | |
"logs:FilterLogEvents", | |
"logs:GetLogEvents", | |
"logs:PutSubscriptionFilter", | |
"s3:CreateBucket", | |
"s3:DeleteBucket", | |
"s3:DeleteBucketPolicy", | |
"s3:DeleteObject", | |
"s3:DeleteObjectVersion", | |
"s3:GetObject", | |
"s3:GetObjectVersion", | |
"s3:ListAllMyBuckets", | |
"s3:ListBucket", | |
"s3:PutBucketNotification", | |
"s3:PutBucketPolicy", | |
"s3:PutBucketTagging", | |
"s3:PutBucketWebsite", | |
"s3:PutEncryptionConfiguration", | |
"s3:PutObject", | |
"sns:CreateTopic", | |
"sns:DeleteTopic", | |
"sns:GetSubscriptionAttributes", | |
"sns:GetTopicAttributes", | |
"sns:ListSubscriptions", | |
"sns:ListSubscriptionsByTopic", | |
"sns:ListTopics", | |
"sns:SetSubscriptionAttributes", | |
"sns:SetTopicAttributes", | |
"sns:Subscribe", | |
"sns:Unsubscribe", | |
"states:CreateStateMachine", | |
"states:DeleteStateMachine" | |
], | |
"Effect": "Allow", | |
"Resource": "*" | |
} | |
], | |
"Version": "2012-10-17" | |
} |
This comment has been minimized.
This comment has been minimized.
Yup, same thing happened to me.
|
This comment has been minimized.
This comment has been minimized.
I had issues using s3 sync w/ this policy; I enabled all s3 actions & resources as a quick fix. Anyone else have this problem? |
This comment has been minimized.
This comment has been minimized.
I had to add "dynamodb:DescribeTimeToLive" and "dynamodb:UpdateTimeToLive" to allow the creation of a table with TTL settings. |
This comment has been minimized.
This comment has been minimized.
I also needed: |
This comment has been minimized.
This comment has been minimized.
Thanks everyone for chiming in! We just updated the gist accordingly. |
This comment has been minimized.
This comment has been minimized.
For next update, this popped up for me |
This comment has been minimized.
This comment has been minimized.
Thanks @CGeorges |
This comment has been minimized.
This comment has been minimized.
Thanks for this list! Because I use a custom S3 deployment bucket, I also had to add an extra statement object to the list, with the
|
This comment has been minimized.
This comment has been minimized.
As @CGeorges commented above, if changing name of method e.g. someMethod to some_method you get: Suggest add: |
This comment has been minimized.
This comment has been minimized.
SQS may be preferable (or additional) to SNS as per this example (not affiliated): So suggest add: and some subset of: |
This comment has been minimized.
This comment has been minimized.
wtf is the difference between this and "AWS full access"? |
This comment has been minimized.
This comment has been minimized.
This is more like the maximum credential set since it requests everything Serverless might use to set up a lambda function. We can remove SNS if we don't use it, or kinesis, or iot, etc. Only cloudformation, iam, lambda, logs, and s3 are minimum requirements. |
This comment has been minimized.
This comment has been minimized.
Since the title says "minimum", can this be re-edited down to an absolute minimum required to do a deployment of a simple function with no dependencies? "Oops! A bug in serverless just deleted your production VPC" - Err, no thanks! |
This comment has been minimized.
This comment has been minimized.
{
"Statement": [
{
"Action": [
"cloudformation:CancelUpdateStack",
"cloudformation:ContinueUpdateRollback",
"cloudformation:CreateChangeSet",
"cloudformation:CreateStack",
"cloudformation:CreateUploadBucket",
"cloudformation:DeleteStack",
"cloudformation:Describe*",
"cloudformation:EstimateTemplateCost",
"cloudformation:ExecuteChangeSet",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:UpdateStack",
"cloudformation:UpdateTerminationProtection",
"cloudformation:ValidateTemplate",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"lambda:*",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:PutSubscriptionFilter",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketTagging",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
} As @carlin-q-scott says the above actions are sufficient to deploy the simple helloWorld from the docs. However if you want to actually attach a HTTP endpoint, you will also need |
This comment has been minimized.
This comment has been minimized.
AWS limits the policy size by default to 2048 characters, and the policy in the gist exceeds that many characters. It is giving error:
|
This comment has been minimized.
This comment has been minimized.
I got this error: Maximum policy size of 2048 bytes exceeded for user serverless-servicename-agent It was fixed by removing spaces from the JSON file. |
This comment has been minimized.
This comment has been minimized.
I also needed |
This comment has been minimized.
The
"cloudformation:PreviewStackUpdate"
is a unrecognized action on AWS. Maybe you could consider removing it?And when I set custom domain according to this article https://serverless.com/blog/serverless-api-gateway-domain/, I found this policy list lack some policies of ACM and Route53, maybe you could consider adding some of these.