How to scope permissions for the deployment user/role #15073
Unanswered
mattfysh
asked this question in
Pulumi in Practice
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I am wondering how people approach scoping the user/role they use to perform deployments?
Previously in AWS I was using my local aws cli which had an access key/secret for my root user, but I am soon moving my deploys to the cloud so I am looking for something more appropriate
I used the recent deployment of an EKS cluster to try to find ways to correctly scope out the required permissions for each resource, but it was a fairly painful experience. Basically I started with defining
service:*
permissions but added a condition that the resource tag must match the default tag specified in Pulumi.yamlFrom there it was a matter of running
pulumi up
iteratively and fixing permission errors as they occurred, which eventually led to this policy required to deploy aneks:index:Cluster
- https://gist.github.com/mattfysh/1044cd7c4c99bd5aa06a684389e91f58Unfortunately it wasn't quite that straightforward. Encountering errors in the middle of a deployment would sometimes put the stack into an unrecoverable state, so there were a few times when I had to wipe stack & cloud resources and start again with the latest policy
One thing that would make this easier would be if resources declared the permissions they required. Another idea could be to do a deployment with an all-access user then review a log of permissions used to scope down the policy
I'm curious to learn how other people are addressing permissions? I mentioned AWS here but this applies to any cloud provider with fine-grained permissions
Cheers!
Beta Was this translation helpful? Give feedback.
All reactions