Static website: Deployment IAM permissions about lift HOT 2 OPEN

I've went through the same process and can't agree more.

IAM is complex and IMO Serverless Framework does a poor job at pointing you in the right direction (or I'm not aware of it). They even recommend creating a user with Administrator Access in there docs.

I'm not sure what's the best practise in this field right now but what I've done so far is generating a user with the least permissions I can come up with. And yes this is trial & error each time.

I also know you can make Cloudformation assume a role when deploying but that wouldn't help with your static files upload problem here.

I think the required permissions to use and deploy a construct could be documented but there would still be a missing piece in Serverless Framework.

It would be nice for serverless framework to have a command that looks at what would be deployed and generates the proper IAM permission document for deployment (and them sending an event so that Lift can hook into the process and add its own to the mix).

Hope that makes sense. Would love to hear thoughts on this.

from lift.

Yes, yes and yes.

We've discussed it several times internally at Serverless, and it's a tough problem to solve. No tools, as far as we know, has a magic solution for this.

One idea we may want to explore is:

• let each construct expose the permissions it requires
• then there would be a command that lets user export those permissions (useful for reviewing as well), even before deploying
• on deployment, it could even be great if Lift/Serverless Framework would check the permissions before deploying to anticipate any failure

But, as you can guess, this is a lot of work. I'm curious what you think about that approach, or if you have anything else in mind.

For those stumbling on this discussion feel free to add a 👍 to the issue: that helps us gauge interest and prioritize the roadmap.

from lift.