Minimal IAM permissions for AWS CDK deployments
Published on Thursday, October 1, 2020
AWS CDK is leveraging AWS CloudFormation to deploy Stacks in AWS.
In addition, AWS CDK may require some data which is being stored in a S3 Bucket named cdktoolkit-stagingbucket-*.
This is the IAM policy IAM assigning to a AWS IAM group which should be able to deploy resources via AWS CDK. Of course, depending on the resources you want to deploy, you need further IAM permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "s3:*",
"Resource": "arn:aws:s3:::cdktoolkit-stagingbucket-*",
"Effect": "Allow"
}
]
}The policy gives full access to CloudFormation and all S3 Buckets named cdktoolkit-stagingbucket-*.
Another option is to additionally grant full access for all resources and their actions if the action has been triggered by CloudFormation (or CDK):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"cloudformation.amazonaws.com"
]
}
},
"Action": "*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "s3:*",
"Resource": "arn:aws:s3:::cdktoolkit-stagingbucket-*",
"Effect": "Allow"
}
]
}Handle with care...
Update for CDK version 2
Another permission is required for CDK 2:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/cdk-*"
]
}
]
}Thanks to James Crowley for pointing this out.
What are your thoughts about "Minimal IAM permissions for AWS CDK deployments"?
Drop me a line - I'm looking forward to your feedback! 