What are the least privileges required for AWS SAM?

What are the least privileges required for AWS SAM?

When setting up IAM users for continuous delivery it is difficult to find priveleges required using the failed AWS SAM deployment logs. This is due to these errors being too generic, and not specifying the exact resource. This page documents the basic privileges for running AWS SAM with a Lambda, and CAPABILITY_IAM capability.

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateChangeSet",
                "cloudformation:GetTemplateSummary",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeChangeSet",
                "cloudformation:ExecuteChangeSet",
                "iam:AttachRolePolicy",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:GetRole",
                "iam:UntagRole",
                "iam:ListRoleTags",
                "iam:TagRole",
                "iam:PassRole",
                "iam:DetachRolePolicy",
                "lambda:GetFunction",
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:GetFunctionConfiguration",
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:cloudformation:((region)):((account-id)):stack/((stack-name))/*",
                "arn:aws:cloudformation:((region)):aws:transform/Serverless-2016-10-31",
                "arn:aws:iam::((account-id)):role/((stack-name))-*",
                "arn:aws:lambda:((region)):((account-id)):function:((stack-name))-*",
                "arn:aws:s3:::((deployment-bucket))/*"
            ]
        }
    ]
}

Originally published at https://stories.rdok.co.uk on November 22, 2020.