Reputation: 28661
How do I find out what AWS actions do I need to grant for a CLI command?
Consider I want to run some AWS CLI command, e.g. aws s3 sync dist/ "s3://${DEPLOY_BUCKET_NAME}" --delete.
How do I know what specific permissions (actions) do I need to grant in order for this command to work correctly? I want to adhere to the least privileged principle.
Just to clarify my question. I know where to find a list of all actions for S3 or other service and I know how to write a policy. The question is how do I know what specific actions do I need to grant for some CLI command?
Because, each command will use different actions and the arguments of the command also play a role here.
Upvotes: 1
Views: 371
Answers (3)
Reputation: 78842
There's no definitive mapping to API actions from high-level awscli commands (like aws s3 sync) or from AWS console actions that I'm aware of.
One thing that you might consider is to enable CloudTrail, then temporarily enable all actions on all resources in an IAM policy, then run a test of aws s3 sync, and then review CloudTrail for what API actions were invoked on which resources. Not ideal, but it might give you something to start with.
You can use Athena to query CloudTrail Logs. It might seem daunting to set up at first, but it's actually quite easy. Then you can issue simple SQL queries such as:
SELECT eventtime, eventname, resources FROM trail20191021 ORDER BY eventtime DESC;
Upvotes: 1
Reputation: 270089
Almost every command used in the AWS CLI map one-to-one to IAM Actions.
However, the aws s3 commands such as sync are higher-level functions that call multiple commands.
For sync, I would imagine you would need:
ListBucketCopyObjectGetObjectACLPutObjectACL
If that still doesn't help, then you can use AWS CloudTrail to look at the underlying API calls that the AWS CLI made to your account. The CloudTrail records will show each API call and whether it succeeded or failed.
Upvotes: 1
Reputation: 1115
If you want to know for S3 specifically, that is documented in the S3 Developer Guide:
- Specifying Permissions in a Policy
- Specifying Conditions in a Policy
- Specifying Resources in a Policy
In general, you can get what you need for any AWS resource from Actions, Resources, and Condition Keys for AWS Services
And you may find the AWS Policy Generator useful
Upvotes: 0
Related Questions
- New IAM administrator user sees "You are not authorized to perform this operation"
- How to get AWS policy needed to run a specific CLI command?
- Grant AWS CLI permissions
- AWS CLI - Get required permissions to execute specific command
- Why do I have authority in AWS management console but not in AWS CLI for some operations?
- What are the required AWS IAM policy permissions to provision EC2 Instances from the CLI?
- How to run aws cli commands as a specific user?
- How to look up the IAM Actions needed for a given AWS API call?
- How to determine which particular permission is missing for using a particular AWS feature?
- How to find out all the necessary IAM permission I need to run this function?