When setting up IAM users for continuous delivery it is difficult to find privileges required using the failed AWS SAM deployment logs. This is due to these errors being too generic, and not specifying the exact resource. This page documents the basic privileges for running AWS SAM with a Lambda, and CAPABILITY_IAM
capability.
Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:GetTemplateSummary",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:DeleteStack",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:UntagRole",
"iam:ListRoleTags",
"iam:TagRole",
"iam:PassRole",
"iam:DetachRolePolicy",
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunctionConfiguration",
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:cloudformation:((region)):((account-id)):stack/((stack-name))/*",
"arn:aws:cloudformation:((region)):aws:transform/Serverless-2016-10-31",
"arn:aws:iam::((account-id)):role/((stack-name))-*",
"arn:aws:lambda:((region)):((account-id)):function:((stack-name))-*",
"arn:aws:s3:::((deployment-bucket))/*"
]
}
]
}