chalice
chalice copied to clipboard
aws
Document required AWS policy for user
I guess AWSLambdaFullAccess and AmazonAPIGatewayAdministrator are required, something else too?
You'll also need IAM access if you want chalice to create the roles/policies for you. I'll get the exact permissions documented.
I have managed to figure out some of the policy requirements for non-administration IAM users atleast for the IAM and APIGateway part (see below). I am also using the AWSLambdaFullAccess policy in conjunction. Hopefully this will help toward getting an all encompassing permission set rather than granting "full" access.
Custom policy named ChaliceAccess applied to IAM user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1471020565000",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1471020565001",
"Effect": "Allow",
"Action": [
"apigateway:GET",
"apigateway:HEAD"
],
"Resource": [
"arn:aws:apigateway:us-east-1::/restapis",
"arn:aws:apigateway:us-east-1::/restapis/*/resources",
"arn:aws:apigateway:us-east-1::/restapis/*/resources/*"
]
},
{
"Sid": "Stmt1471020565002",
"Effect": "Allow",
"Action": [
"apigateway:DELETE"
],
"Resource": [
"arn:aws:apigateway:us-east-1::/restapis/*/resources/*"
]
},
{
"Sid": "Stmt1471020565003",
"Effect": "Allow",
"Action": [
"apigateway:POST"
],
"Resource": [
"arn:aws:apigateway:us-east-1::/restapis/*/deployments",
"arn:aws:apigateway:us-east-1::/restapis/*/resources/*"
]
},
{
"Sid": "Stmt1471020565004",
"Effect": "Allow",
"Action": [
"apigateway:PUT"
],
"Resource": [
"arn:aws:apigateway:us-east-1::/restapis/*/methods/GET",
"arn:aws:apigateway:us-east-1::/restapis/*/methods/GET/*",
"arn:aws:apigateway:us-east-1::/restapis/*/methods/POST",
"arn:aws:apigateway:us-east-1::/restapis/*/methods/POST/*",
"arn:aws:apigateway:us-east-1::/restapis/*/methods/PUT",
"arn:aws:apigateway:us-east-1::/restapis/*/methods/PUT/*"
]
}
]
}
I'm getting an error about not being authorized to perform iam:PassRole which I don't see listed in the IAM section.
I found that this worked for me. Happy to send a PR, as well.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1471020565000",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:GetRole"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1471020565001",
"Effect": "Allow",
"Action": [
"apigateway:GET",
"apigateway:HEAD"
],
"Resource": [
"arn:aws:apigateway:AWS_REGION::/restapis",
"arn:aws:apigateway:AWS_REGION::/restapis/*/resources",
"arn:aws:apigateway:AWS_REGION::/restapis/*/resources/*"
]
},
{
"Sid": "Stmt1471020565002",
"Effect": "Allow",
"Action": [
"apigateway:DELETE"
],
"Resource": [
"arn:aws:apigateway:AWS_REGION::/restapis/*/resources/*"
]
},
{
"Sid": "Stmt1471020565003",
"Effect": "Allow",
"Action": [
"apigateway:POST"
],
"Resource": [
"arn:aws:apigateway:AWS_REGION::/restapis/*/deployments",
"arn:aws:apigateway:AWS_REGION::/restapis/*/resources/*"
]
},
{
"Sid": "Stmt1471020565004",
"Effect": "Allow",
"Action": [
"apigateway:PUT"
],
"Resource": [
"arn:aws:apigateway:AWS_REGION::/restapis/*/methods/GET",
"arn:aws:apigateway:AWS_REGION::/restapis/*/methods/GET/*",
"arn:aws:apigateway:AWS_REGION::/restapis/*/methods/POST",
"arn:aws:apigateway:AWS_REGION::/restapis/*/methods/POST/*",
"arn:aws:apigateway:AWS_REGION::/restapis/*/methods/PUT",
"arn:aws:apigateway:AWS_REGION::/restapis/*/methods/PUT/*"
]
}
]
Update on this? I know chalice will auto-update its policy, but what does it need to get going?
I am experiencing access denied problems when trying to deploy with Chalice. I am not exactly sure what are the least necessary policies in my IAM user to make this work, I cannot find it anywhere in the documentation...
@jamesls Is there any document with the exact permissions needed listed?
How do either of those policies work without iam:CreateRole? If Chalice is creating/managing the role on your behalf, access to this resource would be a must
This issue has been open for nearly 2 years and still the credentials section is gravely under documented: https://github.com/aws/chalice#credentials
Amazon should know that not providing a clear policy document/walk-through is an excellent way for accounts to be exploited, by those users who "just want to get something up and working", they inevitably end up providing dangerous amounts of access to their IAM users, and never go back to fix those permissions.
I shudder to think how many people are using a CLI user with AdministratorAccess to deploy their chalice apps.
Hi Folks. FWIW I just had a not-very-entertaining afternoon getting the Chalice demo to run. The ChaliceAccess policies posted here previously didn't work for me until I made a bunch of changes. Here's what I came up with:
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:PassRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"apigateway:GET",
"apigateway:POST"
],
"Resource": [
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources/*"
]
},
{
"Effect": "Allow",
"Action": "apigateway:DELETE",
"Resource": "arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources/*"
},
{
"Effect": "Allow",
"Action": "apigateway:POST",
"Resource": [
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/deployments",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources/*"
]
},
{
"Effect": "Allow",
"Action": "apigateway:PUT",
"Resource": [
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/GET",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/GET/*",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/POST",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/POST/*",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/PUT",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/PUT/*"
]
},
{
"Effect": "Allow",
"Action": "lambda:*",
"Resource": "*"
}
]
}
Agreed that without better documentation - or at least a managed policy - people will be tempted to throw admin roles around just to get the basics working (I was really tempted!)
Also, if you're using an account with MFA check out aws-mfa before going anywhere near Chalice.
In my case, @adamstimb's policy from https://github.com/aws/chalice/issues/59#issuecomment-460289946 failed with this error:
An error occurred (AccessDeniedException) when calling the UpdateRestApi
operation: User: arn:aws:iam::000000000:user/xxxxx is not authorized to
perform: apigateway:PATCH on resource: arn:aws:apigateway:xxxx::/restapis/xxxx
Adding the following fixed the issue:
{
"Effect": "Allow",
"Action": "apigateway:PATCH",
"Resource": "arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*"
}
Here's what I ended up with:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"lambda:*",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"apigateway:POST",
"apigateway:GET"
],
"Resource": [
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources/*"
]
},
{
"Effect": "Allow",
"Action": "apigateway:DELETE",
"Resource": "arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources/*"
},
{
"Effect": "Allow",
"Action": "apigateway:POST",
"Resource": [
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/deployments",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources/*"
]
},
{
"Effect": "Allow",
"Action": "apigateway:PUT",
"Resource": [
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/GET",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/GET/*",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/POST",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/POST/*",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/PUT",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/PUT/*"
]
},
{
"Effect": "Allow",
"Action": "apigateway:PATCH",
"Resource": "arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*"
}
]
}
I've created a gist with the IAM policy that's worked for me: https://gist.github.com/walkermatt/68104f2c2a921b1b2fa80df0a73d7147
A real shame that is still not solved by AWS...
Since I use events-based (cron) functions, I had to add "events:PutRule, events:PutTargets"to the policy from @walkermatt gist
