使用CDK Deploy需要哪些IAM权限？ [英] What IAM permissions are needed to use CDK Deploy?

问题描述

我的团队有一个在执行IAM角色下运行的管道。我们希望通过CloudFormation或CDK将代码部署到AWS。

My team has a pipeline which runs under an execution IAM role. We want to deploy code to AWS through CloudFormation or the CDK.

过去，我们会在创建/更新CloudFormation堆栈之前，先将一些工件上传到S3存储桶中。执行IAM角色。

In the past, we would upload some artifacts to S3 buckets before creating/updating our CloudFormation stack, using the execution IAM role.

我们最近改用了CDK，并尝试使用CDK Deploy尽可能多地实现自动化，但遇到了很多权限项目我们需要添加之前没有的内容（例如cloudformation：GetTemplate）。

We recently switched to the CDK, and are trying to get as much automated with using CDK Deploy as possible, but are running into a lot of permission items we need to add which we didn't have prior (for instance, cloudformation:GetTemplate).

我们不想只授予*（我们希望至少遵循权限），但找不到任何明确的文档列表。

We don't want to just grant * (we want to follow least privilege) but I can't find any clear documented list.

CDK Deploy依赖于标准权限列表吗？除了标准列表之外，还有什么不错的东西吗？

Is there a standard list of permissions that CDK Deploy relies on? Are there any "nice to have's" beyond a standard list?

推荐答案

由于我在任何地方都找不到文档

Since I couldn't find any documentation anywhere I had to do some trial and error to get this to work.

除了需要创建在堆栈中定义的实际资源所需的权限外，还需要提供以下内容：

Apart from the permissions you need to create the actual resources you define in your stack, you need to give the following:

cloudformation:CreateChangeSet
cloudformation:DescribeChangeSet
cloudformation:ExecuteChangeSet
cloudformation:DescribeStackEvents
cloudformation:DeleteChangeSet

要创建的堆栈ARN以及引导程序堆栈：

To the stack ARN you are creating, as well as the bootstrap stack:

arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/CDKToolkit/*

您还需要对Boostrap添加的存储桶具有s3权限（否则，您会感到恐惧禁止：空错误）：

You also need s3 permissions to the bucket that the boostrap added (otherwise you get that dreaded Forbidden: null error):

s3:*Object
s3:ListBucket 

至

arn:aws:s3:::cdktoolkit-stagingbucket-*

这篇关于使用CDK Deploy需要哪些IAM权限？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！