I have CloudFormation stack, which is frequently updated by a script (changing source AMIs for launch configuration). I would love to have it deployed by the same script, executed by non-privileged user/instance role. Currently all updates are made by admin user, with a lot more privileges than needed.
My initial approach was by try and fail, see in logs what permission is missing and adding it one by one. Takes a lot of time and far from productive.
I am thinking that there should be a way to generate list of permissions based on CloudFormation template, plus permissions to update the stack itself.
My second thought is to process CloudTrail logs of successful deployment to extract actions and resources from there.
May be there is already a way to do it and I'm re:Inveting the wheel ?
You would be better off referencing the IAM docs for the IAM actions required to update a resource. For instance updating a LaunchConfiguration resource’s ImageId property requires the replacement of the LaunchConfiguration resource, and then the AutoScalingGroup must be updated with the new LaunchConfiguration via the UpdateAutoScalingGroup action.
I suggest directly referencing the docs because a script to generate permissions for a CloudFormation template could produce a list of possible IAM actions for each resource, but at that point you still have to look at the list and say “for this resource (e.g. AutoScalingGroup) what action(s) do I want to take on it?”
My point being referencing the documentation directly is faster than trial and error and as fast as the tool proposed.
Really interesting idea though, what could be faster than referencing documentation directly is an editor extension that displays possible actions for a resource type while you view your CF template. I have been working on such an extension recently, will paste link here if I complete it.