How to scope permissions for the deployment user/role

[mattfysh]

I am wondering how people approach scoping the user/role they use to perform deployments?

Previously in AWS I was using my local aws cli which had an access key/secret for my root user, but I am soon moving my deploys to the cloud so I am looking for something more appropriate

I used the recent deployment of an EKS cluster to try to find ways to correctly scope out the required permissions for each resource, but it was a fairly painful experience. Basically I started with defining service:* permissions but added a condition that the resource tag must match the default tag specified in Pulumi.yaml

From there it was a matter of running pulumi up iteratively and fixing permission errors as they occurred, which eventually led to this policy required to deploy an eks:index:Cluster - https://gist.github.com/mattfysh/1044cd7c4c99bd5aa06a684389e91f58

Unfortunately it wasn't quite that straightforward. Encountering errors in the middle of a deployment would sometimes put the stack into an unrecoverable state, so there were a few times when I had to wipe stack & cloud resources and start again with the latest policy

One thing that would make this easier would be if resources declared the permissions they required. Another idea could be to do a deployment with an all-access user then review a log of permissions used to scope down the policy

I'm curious to learn how other people are addressing permissions? I mentioned AWS here but this applies to any cloud provider with fine-grained permissions

Cheers!