Minimum credential set for Serverless Framework

IAMCredentials.json

{
    "Statement": [
        {
            "Action": [
                "apigateway:*",
                "cloudformation:CancelUpdateStack",
                "cloudformation:ContinueUpdateRollback",
                "cloudformation:CreateChangeSet",
                "cloudformation:CreateStack",
                "cloudformation:CreateUploadBucket",
                "cloudformation:DeleteStack",
                "cloudformation:Describe*",
                "cloudformation:EstimateTemplateCost",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:Get*",
                "cloudformation:List*",
                "cloudformation:UpdateStack",
                "cloudformation:UpdateTerminationProtection",
                "cloudformation:ValidateTemplate",
                "dynamodb:CreateTable",
                "dynamodb:DeleteTable",
                "dynamodb:DescribeTable",
                "dynamodb:DescribeTimeToLive",
                "dynamodb:UpdateTimeToLive",
                "ec2:AttachInternetGateway",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateInternetGateway",
                "ec2:CreateNetworkAcl",
                "ec2:CreateNetworkAclEntry",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVpc",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteNetworkAcl",
                "ec2:DeleteNetworkAclEntry",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteSubnet",
                "ec2:DeleteVpc",
                "ec2:Describe*",
                "ec2:DetachInternetGateway",
                "ec2:ModifyVpcAttribute",
                "events:DeleteRule",
                "events:DescribeRule",
                "events:ListRuleNamesByTarget",
                "events:ListRules",
                "events:ListTargetsByRule",
                "events:PutRule",
                "events:PutTargets",
                "events:RemoveTargets",
                "iam:AttachRolePolicy",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetRole",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "iot:CreateTopicRule",
                "iot:DeleteTopicRule",
                "iot:DisableTopicRule",
                "iot:EnableTopicRule",
                "iot:ReplaceTopicRule",
                "kinesis:CreateStream",
                "kinesis:DeleteStream",
                "kinesis:DescribeStream",
                "lambda:*",
                "logs:CreateLogGroup",
                "logs:DeleteLogGroup",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:FilterLogEvents",
                "logs:GetLogEvents",
                "logs:PutSubscriptionFilter",
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteBucketPolicy",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:PutBucketNotification",
                "s3:PutBucketPolicy",
                "s3:PutBucketTagging",
                "s3:PutBucketWebsite",
                "s3:PutEncryptionConfiguration",
                "s3:PutObject",
                "sns:CreateTopic",
                "sns:DeleteTopic",
                "sns:GetSubscriptionAttributes",
                "sns:GetTopicAttributes",
                "sns:ListSubscriptions",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics",
                "sns:SetSubscriptionAttributes",
                "sns:SetTopicAttributes",
                "sns:Subscribe",
                "sns:Unsubscribe",
                "states:CreateStateMachine",
                "states:DeleteStateMachine"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}

The "cloudformation:PreviewStackUpdate" is a unrecognized action on AWS. Maybe you could consider removing it?

And when I set custom domain according to this article https://serverless.com/blog/serverless-api-gateway-domain/, I found this policy list lack some policies of ACM and Route53, maybe you could consider adding some of these.

Yup, same thing happened to me.

    == John ==

I had issues using s3 sync w/ this policy; I enabled all s3 actions & resources as a quick fix. Anyone else have this problem?

I had to add "dynamodb:DescribeTimeToLive" and "dynamodb:UpdateTimeToLive" to allow the creation of a table with TTL settings.

I also needed:
"logs:PutSubscriptionFilter"
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",

Thanks everyone for chiming in! We just updated the gist accordingly. 👍

For next update, this popped up for me
"logs:DeleteSubscriptionFilter"

Thanks @CGeorges

Thanks for this list!

Because I use a custom S3 deployment bucket, I also had to add an extra statement object to the list, with the s3:GetBucketLocation action, for deployments to succeed:

{
  "Action": [
    "s3:GetBucketLocation"
  ],
  "Effect": "Allow",
  "Resource": "arn:aws:s3:::MY_DEPLOYMENTS_BUCKET_NAME"
}

As @CGeorges commented above, if changing name of method e.g. someMethod to some_method you get:
AWSCloudFormation is not authorized to perform: logs:DeleteSubscriptionFilter on resource someMethod

Suggest add:
"logs:DeleteSubscriptionFilter"

SQS may be preferable (or additional) to SNS as per this example (not affiliated):
https://medium.com/hackernoon/how-to-setup-aws-lambda-with-sqs-everything-you-should-know-12263d8aa91e

So suggest add:
"iam:ListAttachedRolePolicies"

and some subset of:
"sqs:*"

wtf is the difference between this and "AWS full access"?

This is more like the maximum credential set since it requests everything Serverless might use to set up a lambda function. We can remove SNS if we don't use it, or kinesis, or iot, etc.

Only cloudformation, iam, lambda, logs, and s3 are minimum requirements.

Since the title says "minimum", can this be re-edited down to an absolute minimum required to do a deployment of a simple function with no dependencies?

"Oops! A bug in serverless just deleted your production VPC" - Err, no thanks!

{
    "Statement": [
        {
            "Action": [
                "cloudformation:CancelUpdateStack",
                "cloudformation:ContinueUpdateRollback",
                "cloudformation:CreateChangeSet",
                "cloudformation:CreateStack",
                "cloudformation:CreateUploadBucket",
                "cloudformation:DeleteStack",
                "cloudformation:Describe*",
                "cloudformation:EstimateTemplateCost",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:Get*",
                "cloudformation:List*",
                "cloudformation:UpdateStack",
                "cloudformation:UpdateTerminationProtection",
                "cloudformation:ValidateTemplate",
                "iam:AttachRolePolicy",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetRole",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "lambda:*",
                "logs:CreateLogGroup",
                "logs:DeleteLogGroup",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:FilterLogEvents",
                "logs:GetLogEvents",
                "logs:PutSubscriptionFilter",
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteBucketPolicy",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:PutBucketNotification",
                "s3:PutBucketPolicy",
                "s3:PutBucketTagging",
                "s3:PutBucketWebsite",
                "s3:PutEncryptionConfiguration",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}

As @carlin-q-scott says the above actions are sufficient to deploy the simple helloWorld from the docs. However if you want to actually attach a HTTP endpoint, you will also need "apigateway:*". I'd bet one would restrict access to certain resources though for more security...

AWS limits the policy size by default to 2048 characters, and the policy in the gist exceeds that many characters. It is giving error:

Maximum policy size of 2048 bytes exceeded for user serverless-servicename-agent

I got this error:

Maximum policy size of 2048 bytes exceeded for user serverless-servicename-agent

It was fixed by removing spaces from the JSON file.

I also needed "logs:DeleteSubscriptionFilter" to run sls remove

So far I am using this tool to help me generate policies for my serverless projects:

https://open-sl.github.io/serverless-permission-generator/

How the policy on "Resource": "*" could be minimal? It is not. For instance, if you host other resources on the same AWS account's S3 (e.g. website) this policy will allow to do anything with it. Including uploading a backdoor or deleting your website whatsoever.

While it is very dangerous to use this policy in production, it is a good start. But it is not minimal and should be trimmed to your account situation. The title is absolutely misleading.

I need to add "states:TagResource"