| { | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "apigateway:*", | |
| "cloudformation:CancelUpdateStack", | |
| "cloudformation:ContinueUpdateRollback", | |
| "cloudformation:CreateChangeSet", | |
| "cloudformation:CreateStack", | |
| "cloudformation:CreateUploadBucket", | |
| "cloudformation:DeleteStack", | |
| "cloudformation:Describe*", | |
| "cloudformation:EstimateTemplateCost", | |
| "cloudformation:ExecuteChangeSet", | |
| "cloudformation:Get*", | |
| "cloudformation:List*", | |
| "cloudformation:UpdateStack", | |
| "cloudformation:UpdateTerminationProtection", | |
| "cloudformation:ValidateTemplate", | |
| "dynamodb:CreateTable", | |
| "dynamodb:DeleteTable", | |
| "dynamodb:DescribeTable", | |
| "dynamodb:DescribeTimeToLive", | |
| "dynamodb:UpdateTimeToLive", | |
| "ec2:AttachInternetGateway", | |
| "ec2:AuthorizeSecurityGroupIngress", | |
| "ec2:CreateInternetGateway", | |
| "ec2:CreateNetworkAcl", | |
| "ec2:CreateNetworkAclEntry", | |
| "ec2:CreateRouteTable", | |
| "ec2:CreateSecurityGroup", | |
| "ec2:CreateSubnet", | |
| "ec2:CreateTags", | |
| "ec2:CreateVpc", | |
| "ec2:DeleteInternetGateway", | |
| "ec2:DeleteNetworkAcl", | |
| "ec2:DeleteNetworkAclEntry", | |
| "ec2:DeleteRouteTable", | |
| "ec2:DeleteSecurityGroup", | |
| "ec2:DeleteSubnet", | |
| "ec2:DeleteVpc", | |
| "ec2:Describe*", | |
| "ec2:DetachInternetGateway", | |
| "ec2:ModifyVpcAttribute", | |
| "events:DeleteRule", | |
| "events:DescribeRule", | |
| "events:ListRuleNamesByTarget", | |
| "events:ListRules", | |
| "events:ListTargetsByRule", | |
| "events:PutRule", | |
| "events:PutTargets", | |
| "events:RemoveTargets", | |
| "iam:AttachRolePolicy", | |
| "iam:CreateRole", | |
| "iam:DeleteRole", | |
| "iam:DeleteRolePolicy", | |
| "iam:DetachRolePolicy", | |
| "iam:GetRole", | |
| "iam:PassRole", | |
| "iam:PutRolePolicy", | |
| "iot:CreateTopicRule", | |
| "iot:DeleteTopicRule", | |
| "iot:DisableTopicRule", | |
| "iot:EnableTopicRule", | |
| "iot:ReplaceTopicRule", | |
| "kinesis:CreateStream", | |
| "kinesis:DeleteStream", | |
| "kinesis:DescribeStream", | |
| "lambda:*", | |
| "logs:CreateLogGroup", | |
| "logs:DeleteLogGroup", | |
| "logs:DescribeLogGroups", | |
| "logs:DescribeLogStreams", | |
| "logs:FilterLogEvents", | |
| "logs:GetLogEvents", | |
| "logs:PutSubscriptionFilter", | |
| "s3:CreateBucket", | |
| "s3:DeleteBucket", | |
| "s3:DeleteBucketPolicy", | |
| "s3:DeleteObject", | |
| "s3:DeleteObjectVersion", | |
| "s3:GetObject", | |
| "s3:GetObjectVersion", | |
| "s3:ListAllMyBuckets", | |
| "s3:ListBucket", | |
| "s3:PutBucketNotification", | |
| "s3:PutBucketPolicy", | |
| "s3:PutBucketTagging", | |
| "s3:PutBucketWebsite", | |
| "s3:PutEncryptionConfiguration", | |
| "s3:PutObject", | |
| "sns:CreateTopic", | |
| "sns:DeleteTopic", | |
| "sns:GetSubscriptionAttributes", | |
| "sns:GetTopicAttributes", | |
| "sns:ListSubscriptions", | |
| "sns:ListSubscriptionsByTopic", | |
| "sns:ListTopics", | |
| "sns:SetSubscriptionAttributes", | |
| "sns:SetTopicAttributes", | |
| "sns:Subscribe", | |
| "sns:Unsubscribe", | |
| "states:CreateStateMachine", | |
| "states:DeleteStateMachine" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": "*" | |
| } | |
| ], | |
| "Version": "2012-10-17" | |
| } |
This comment has been minimized.
This comment has been minimized.
|
Yup, same thing happened to me. |
This comment has been minimized.
This comment has been minimized.
|
I had issues using s3 sync w/ this policy; I enabled all s3 actions & resources as a quick fix. Anyone else have this problem? |
This comment has been minimized.
This comment has been minimized.
|
I had to add "dynamodb:DescribeTimeToLive" and "dynamodb:UpdateTimeToLive" to allow the creation of a table with TTL settings. |
This comment has been minimized.
This comment has been minimized.
|
I also needed: |
This comment has been minimized.
This comment has been minimized.
|
Thanks everyone for chiming in! We just updated the gist accordingly. |
This comment has been minimized.
This comment has been minimized.
|
For next update, this popped up for me |
This comment has been minimized.
This comment has been minimized.
|
Thanks @CGeorges |
This comment has been minimized.
This comment has been minimized.
|
Thanks for this list! Because I use a custom S3 deployment bucket, I also had to add an extra statement object to the list, with the |
This comment has been minimized.
This comment has been minimized.
|
As @CGeorges commented above, if changing name of method e.g. someMethod to some_method you get: Suggest add: |
This comment has been minimized.
This comment has been minimized.
|
SQS may be preferable (or additional) to SNS as per this example (not affiliated): So suggest add: and some subset of: |
This comment has been minimized.
This comment has been minimized.
|
wtf is the difference between this and "AWS full access"? |
This comment has been minimized.
This comment has been minimized.
|
This is more like the maximum credential set since it requests everything Serverless might use to set up a lambda function. We can remove SNS if we don't use it, or kinesis, or iot, etc. Only cloudformation, iam, lambda, logs, and s3 are minimum requirements. |
This comment has been minimized.
This comment has been minimized.
|
Since the title says "minimum", can this be re-edited down to an absolute minimum required to do a deployment of a simple function with no dependencies? "Oops! A bug in serverless just deleted your production VPC" - Err, no thanks! |
This comment has been minimized.
This comment has been minimized.
{
"Statement": [
{
"Action": [
"cloudformation:CancelUpdateStack",
"cloudformation:ContinueUpdateRollback",
"cloudformation:CreateChangeSet",
"cloudformation:CreateStack",
"cloudformation:CreateUploadBucket",
"cloudformation:DeleteStack",
"cloudformation:Describe*",
"cloudformation:EstimateTemplateCost",
"cloudformation:ExecuteChangeSet",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:UpdateStack",
"cloudformation:UpdateTerminationProtection",
"cloudformation:ValidateTemplate",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"lambda:*",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:PutSubscriptionFilter",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketTagging",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}As @carlin-q-scott says the above actions are sufficient to deploy the simple helloWorld from the docs. However if you want to actually attach a HTTP endpoint, you will also need |
This comment has been minimized.
This comment has been minimized.
|
AWS limits the policy size by default to 2048 characters, and the policy in the gist exceeds that many characters. It is giving error:
|
This comment has been minimized.
This comment has been minimized.
|
I got this error: Maximum policy size of 2048 bytes exceeded for user serverless-servicename-agent It was fixed by removing spaces from the JSON file. |
This comment has been minimized.
The
"cloudformation:PreviewStackUpdate"is a unrecognized action on AWS. Maybe you could consider removing it?And when I set custom domain according to this article https://serverless.com/blog/serverless-api-gateway-domain/, I found this policy list lack some policies of ACM and Route53, maybe you could consider adding some of these.