IAM policy for the CLI

The following are some options for IAM Policies you can use to provide the right permissions for the CLI to run. You'd attach one of the following policies to the IAM User or Role that would be used to run the CLI.

Using the AdministratorAccess built-in policy

If you are comfortable with it, you can use the built-in policy named AdministratorAccess. This policy is managed by AWS, and is always available. Note that this is a very powerful policy and provides full access to AWS services and resources. See AdministratorAccess AWS docs for more details.

The ARN of this policy is always arn:aws:iam::aws:policy/AdministratorAccess

An advantage of using this policy is that you won't have to update it when the CLI needs additional permissions for future versions.

Limited custom policy with restricted access

The following is a much less powerful policy and keeps things restricted to the AWS services the CLI needs. Additionally, it restricts access to IAM to only the very specific actions.

Note that if you use this policy, future versions of the CLI may require some updates to it.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "NotopsRunner",
      "Effect": "Allow",
      "Action": [
        "acm:*",
        "cloudwatch:*",
        "dynamodb:*",
        "ec2:*",
        "eks:*",
        "elasticloadbalancing:*",
        "iam:AddClientIDToOpenIDConnectProvider",
        "iam:AddRoleToInstanceProfile",
        "iam:AttachGroupPolicy",
        "iam:AttachRolePolicy",
        "iam:CreateOpenIDConnectProvider",
        "iam:CreatePolicy",
        "iam:CreatePolicyVersion",
        "iam:CreateRole",
        "iam:DeleteInstanceProfile",
        "iam:DeleteOpenIDConnectProvider",
        "iam:DeletePolicy",
        "iam:DeletePolicyVersion",
        "iam:DeleteRole",
        "iam:DeleteRolePermissionsBoundary",
        "iam:DeleteRolePolicy",
        "iam:DetachRolePolicy",
        "iam:GetAccountName",
        "iam:GetAccountSummary",
        "iam:GetInstanceProfile",
        "iam:GetOpenIDConnectProvider",
        "iam:GetPolicy",
        "iam:GetRole",
        "iam:GetRolePolicy",
        "iam:ListAccountAliases",
        "iam:ListAttachedRolePolicies",
        "iam:ListEntitiesForPolicy",
        "iam:ListInstanceProfileTags",
        "iam:ListInstanceProfiles",
        "iam:ListInstanceProfilesForRole",
        "iam:ListOpenIDConnectProviderTags",
        "iam:ListOpenIDConnectProviders",
        "iam:ListPolicies",
        "iam:ListPolicyTags",
        "iam:ListPolicyVersions",
        "iam:ListRolePolicies",
        "iam:ListRoleTags",
        "iam:ListRoles",
        "iam:PutRolePermissionsBoundary",
        "iam:PutRolePolicy",
        "iam:RemoveClientIDFromOpenIDConnectProvider",
        "iam:RemoveRoleFromInstanceProfile",
        "iam:SetDefaultPolicyVersion",
        "iam:TagInstanceProfile",
        "iam:TagOpenIDConnectProvider",
        "iam:TagPolicy",
        "iam:TagRole",
        "iam:UntagInstanceProfile",
        "iam:UntagOpenIDConnectProvider",
        "iam:UntagPolicy",
        "iam:UntagRole",
        "iam:UpdateAssumeRolePolicy",
        "iam:UpdateOpenIDConnectProviderThumbprint",
        "iam:UpdateRole",
        "iam:UpdateRoleDescription",
        "iam:PassRole",
        "route53:*",
        "s3:CreateBucket",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:GetBucketTagging",
        "s3:GetObject",
        "s3:GetObjectAttributes",
        "s3:GetObjectVersion",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:ListBucketVersions",
        "s3:ListTagsForResource",
        "s3:PutBucketTagging",
        "s3:PutObject",
        "secretsmanager:BatchGetSecretValue",
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetRandomPassword",
        "secretsmanager:GetResourcePolicy",
        "secretsmanager:GetSecretValue",
        "secretsmanager:ListSecretVersionIds",
        "secretsmanager:ListSecrets",
        "sts:GetCallerIdentity",
        "logs:CreateLogGroup",
        "logs:PutRetentionPolicy"
      ],
      "Resource": "*"
    }
  ]
}

Last updated