What are the minimal AWS permissions needed for faast to function properly?

[microsoftly]

[acchou]

Ideally admin permissions to the entire account. The reason is that faast.js creates its own role and sets the permissions for that role, and in order to do that you need a high level of permissions.

However you can create the role yourself: https://faastjs.org/docs/api/faastjs.awsoptions.rolename, then specify the role you created as the RoleName property of AwsOptions: https://faastjs.org/docs/api/faastjs.awsoptions.

[microsoftly]

Ideally, there's a lesser set of permissions that would be needed in order for faast to function properly, no?

That seems insanely broad and a potential security risk otherwise

[acchou]

It's a little complex because faast.js needs to do many things in order to orchestrate the work it does. Producing an absolute minimal configuration will be challenging, but a coarse approximation would probably require (untested):

• Access to read IAM (assuming you create the role yourself and specify as the RoleName, otherwise write access is required)
• Access to create, invoke, and delete Lambda functions
• Read and write access to S3, using the buckets you specify - but also any buckets created by faast with the faast-* prefix
• create, delete, and operation access to SQS and SNS.
• probably some others that I've forgotten.

In general the best approach is probably to segregate the use cases and data for faast.js into a separate account, and use that for the production use. For developer use, you can use the standard AWS IAM keys you use, which probably gives you will access to your own account.

[acchou]

A quick review of the code shows two more services you need permissions for:

• STS
• AWS Price List API

[microsoftly]

Thank you!

I'll be testing this soon and will report back if it works