Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Minimum credential set for Serverless Framework
{
"Statement": [
{
"Action": [
"apigateway:*",
"cloudformation:CancelUpdateStack",
"cloudformation:ContinueUpdateRollback",
"cloudformation:CreateChangeSet",
"cloudformation:CreateStack",
"cloudformation:CreateUploadBucket",
"cloudformation:DeleteStack",
"cloudformation:Describe*",
"cloudformation:EstimateTemplateCost",
"cloudformation:ExecuteChangeSet",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:UpdateStack",
"cloudformation:UpdateTerminationProtection",
"cloudformation:ValidateTemplate",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:DescribeTable",
"dynamodb:DescribeTimeToLive",
"dynamodb:UpdateTimeToLive",
"ec2:AttachInternetGateway",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateInternetGateway",
"ec2:CreateNetworkAcl",
"ec2:CreateNetworkAclEntry",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:DeleteInternetGateway",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteVpc",
"ec2:Describe*",
"ec2:DetachInternetGateway",
"ec2:ModifyVpcAttribute",
"events:DeleteRule",
"events:DescribeRule",
"events:ListRuleNamesByTarget",
"events:ListRules",
"events:ListTargetsByRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iot:CreateTopicRule",
"iot:DeleteTopicRule",
"iot:DisableTopicRule",
"iot:EnableTopicRule",
"iot:ReplaceTopicRule",
"kinesis:CreateStream",
"kinesis:DeleteStream",
"kinesis:DescribeStream",
"lambda:*",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:PutSubscriptionFilter",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketTagging",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutObject",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:SetSubscriptionAttributes",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:Unsubscribe",
"states:CreateStateMachine",
"states:DeleteStateMachine"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
@yujiangshui

This comment has been minimized.

Copy link

@yujiangshui yujiangshui commented Apr 3, 2019

The "cloudformation:PreviewStackUpdate" is a unrecognized action on AWS. Maybe you could consider removing it?

image

And when I set custom domain according to this article https://serverless.com/blog/serverless-api-gateway-domain/, I found this policy list lack some policies of ACM and Route53, maybe you could consider adding some of these.

@jgwinner

This comment has been minimized.

Copy link

@jgwinner jgwinner commented May 19, 2019

Yup, same thing happened to me.

    == John ==
@nussetorten

This comment has been minimized.

Copy link

@nussetorten nussetorten commented May 26, 2019

I had issues using s3 sync w/ this policy; I enabled all s3 actions & resources as a quick fix. Anyone else have this problem?

@ctranstrum

This comment has been minimized.

Copy link

@ctranstrum ctranstrum commented Jun 14, 2019

I had to add "dynamodb:DescribeTimeToLive" and "dynamodb:UpdateTimeToLive" to allow the creation of a table with TTL settings.

@CGeorges

This comment has been minimized.

Copy link

@CGeorges CGeorges commented Jul 14, 2019

I also needed:
"logs:PutSubscriptionFilter"
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",

@ServerlessBot

This comment has been minimized.

Copy link
Owner Author

@ServerlessBot ServerlessBot commented Jul 15, 2019

Thanks everyone for chiming in! We just updated the gist accordingly. 👍

@CGeorges

This comment has been minimized.

Copy link

@CGeorges CGeorges commented Jul 15, 2019

For next update, this popped up for me
"logs:DeleteSubscriptionFilter"

@ktkaushik

This comment has been minimized.

Copy link

@ktkaushik ktkaushik commented Aug 4, 2019

Thanks @CGeorges

@danillouz

This comment has been minimized.

Copy link

@danillouz danillouz commented Sep 17, 2019

Thanks for this list!

Because I use a custom S3 deployment bucket, I also had to add an extra statement object to the list, with the s3:GetBucketLocation action, for deployments to succeed:

{
  "Action": [
    "s3:GetBucketLocation"
  ],
  "Effect": "Allow",
  "Resource": "arn:aws:s3:::MY_DEPLOYMENTS_BUCKET_NAME"
}
@wordtracker

This comment has been minimized.

Copy link

@wordtracker wordtracker commented Nov 7, 2019

As @CGeorges commented above, if changing name of method e.g. someMethod to some_method you get:
AWSCloudFormation is not authorized to perform: logs:DeleteSubscriptionFilter on resource someMethod

Suggest add:
"logs:DeleteSubscriptionFilter"

@wordtracker

This comment has been minimized.

Copy link

@wordtracker wordtracker commented Nov 7, 2019

SQS may be preferable (or additional) to SNS as per this example (not affiliated):
https://medium.com/hackernoon/how-to-setup-aws-lambda-with-sqs-everything-you-should-know-12263d8aa91e

So suggest add:
"iam:ListAttachedRolePolicies"

and some subset of:
"sqs:*"

@gotexis

This comment has been minimized.

Copy link

@gotexis gotexis commented Nov 19, 2019

wtf is the difference between this and "AWS full access"?

@carlin-q-scott

This comment has been minimized.

Copy link

@carlin-q-scott carlin-q-scott commented Jan 8, 2020

This is more like the maximum credential set since it requests everything Serverless might use to set up a lambda function. We can remove SNS if we don't use it, or kinesis, or iot, etc.

Only cloudformation, iam, lambda, logs, and s3 are minimum requirements.

@gargoyle

This comment has been minimized.

Copy link

@gargoyle gargoyle commented Mar 9, 2020

Since the title says "minimum", can this be re-edited down to an absolute minimum required to do a deployment of a simple function with no dependencies?

"Oops! A bug in serverless just deleted your production VPC" - Err, no thanks!

@ChristianUlbrich

This comment has been minimized.

Copy link

@ChristianUlbrich ChristianUlbrich commented Mar 27, 2020

{
    "Statement": [
        {
            "Action": [
                "cloudformation:CancelUpdateStack",
                "cloudformation:ContinueUpdateRollback",
                "cloudformation:CreateChangeSet",
                "cloudformation:CreateStack",
                "cloudformation:CreateUploadBucket",
                "cloudformation:DeleteStack",
                "cloudformation:Describe*",
                "cloudformation:EstimateTemplateCost",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:Get*",
                "cloudformation:List*",
                "cloudformation:UpdateStack",
                "cloudformation:UpdateTerminationProtection",
                "cloudformation:ValidateTemplate",
                "iam:AttachRolePolicy",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetRole",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "lambda:*",
                "logs:CreateLogGroup",
                "logs:DeleteLogGroup",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:FilterLogEvents",
                "logs:GetLogEvents",
                "logs:PutSubscriptionFilter",
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteBucketPolicy",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:PutBucketNotification",
                "s3:PutBucketPolicy",
                "s3:PutBucketTagging",
                "s3:PutBucketWebsite",
                "s3:PutEncryptionConfiguration",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}

As @carlin-q-scott says the above actions are sufficient to deploy the simple helloWorld from the docs. However if you want to actually attach a HTTP endpoint, you will also need "apigateway:*". I'd bet one would restrict access to certain resources though for more security...

@divick

This comment has been minimized.

Copy link

@divick divick commented Jul 10, 2020

AWS limits the policy size by default to 2048 characters, and the policy in the gist exceeds that many characters. It is giving error:

Maximum policy size of 2048 bytes exceeded for user serverless-servicename-agent

@wfraher

This comment has been minimized.

Copy link

@wfraher wfraher commented Aug 21, 2020

I got this error:

Maximum policy size of 2048 bytes exceeded for user serverless-servicename-agent

It was fixed by removing spaces from the JSON file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.