Skip to content

Instantly share code, notes, and snippets.

@walkermatt

walkermatt/README.md

Last active October 30, 2023 13:57
Show Gist options
  • Star 6 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save walkermatt/68104f2c2a921b1b2fa80df0a73d7147 to your computer and use it in GitHub Desktop.
Save walkermatt/68104f2c2a921b1b2fa80df0a73d7147 to your computer and use it in GitHub Desktop.
Download ZIP
Chalice Dev AWS IAM Policy
Raw
README.md

Chalice Dev AWS IAM Policy

AWS IAM Policy suitable for assigning to a user developing Chalice applications. Allows the developer sucessfully execute chalice deploy, chalice delete and chalice logs

Derived from comments on chalice/issues/59, extended by trial and error :-)

Subsitute YOUR-AWS-REGION in chalice-dev-iam-policy.json with the region you are deploying to, for example eu-west-1.

AWS profiles

If you have multiple profiles defined in ~/.aws/credentials or ~/.aws/config then you can specify the profile to use with the chalice commands via the AWS_PROFILE environment variable. For example to use a profile called sandpit when deploying:

export AWS_PROFILE=sandpit
chalice deploy
Raw
chalice-dev-iam-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole",
"iam:ListRoles",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:DeleteRole",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:UpdateRoleDescription",
"iam:DeleteServiceLinkedRole",
"iam:GetServiceLinkedRoleDeletionStatus",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListRolePolicies",
"lambda:*",
"ec2:*",
"logs:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"apigateway:POST",
"apigateway:GET"
],
"Resource": [
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*",
"arn:aws:apigateway:YOUR-AWS-REGION::/domainnames",
"arn:aws:apigateway:YOUR-AWS-REGION::/domainnames/*",
"arn:aws:apigateway:YOUR-AWS-REGION::/domainnames/*/*",
"arn:aws:apigateway:YOUR-AWS-REGION::/tags/*",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources/*"
]
},
{
"Effect": "Allow",
"Action": "apigateway:DELETE",
"Resource": [
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources/*"
]
},
{
"Effect": "Allow",
"Action": "apigateway:POST",
"Resource": [
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/deployments",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources/*"
]
},
{
"Effect": "Allow",
"Action": "apigateway:PUT",
"Resource": [
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/GET",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/GET/*",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/POST",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/POST/*",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/PUT",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/PUT/*",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*"
]
},
{
"Effect": "Allow",
"Action": "apigateway:PATCH",
"Resource": [
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*",
"arn:aws:apigateway:YOUR-AWS-REGION::/domainnames/*"
]
}
]
}
@MRigal
Copy link

MRigal commented Jan 6, 2022

In case you have lambdas based on events, I had to add "events:PutRule, events:PutTargets" to get it to work

@datashaman
Copy link

Instead of this:

export AWS_PROFILE=sandpit
chalice deploy

you can also do this:

chalice --profile=sandpit deploy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment