Automatically generate a list of required IAM policies (or similar for other providers)

[alex-e-leon]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

One challenge I'm finding I constantly run into is managing the IAM policies that I'm required to give pulumi in order for pulumi to create/update/remove all the resources it manages. When adding new resources I often find myself adding overly broad and permissive policies because otherwise I end up spending sometimes hours re-trying deployments and adding any required permissions up front. I also find myself rarely removing permissions out of fear of potentially breaking a deployment. In AWS especially this has bitten me as when adding extremely broad policies its easy to hit AWS's maximum policy length pretty quickly.

But it seems like pulumi should have all the required information to automatically generate a list of the policies it requires to deploy (infra's not my main area, so maybe its a hard problem, but either way it seems like it could be possible).

So my wishlist would be the following 2 features:

• When running pulumi:preview, check and print any missing policies/permissions that would cause the deployment to fail. Possibly behind a cli flag if necessary (though I feel like it wouldn't need to be)
• a seperate command which would print all policies/permissions required to create/update/delete all resources under management. This second request seems like it could be a much harder problem to solve, as some resources may have many different permission sets covering different kinds of updates. Maybe someone whos more versed in infra than I am can chime in with ideas or whether this would be feasible.