Computing minimum permissions from resource usage

[melbourne2991]

Currently pulumi defaults to assigning broad access policies to compute resources

arn:aws:iam::aws:policy/AWSLambdaFullAccess,arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess

If you want to use more restrictive policies - you can, however my understanding is you have to define them yourself.

Ideally pulumi would default to bare minimum, restrictive policies and deduce what additional policies/permissions are required based on how resources are used. Eg. a put call from within a function to a table would result in a policy being assigned to the function that allows puts to that table.

While this should be possible with inline lambda callbacks, I assume it would not work with Tasks and other external resources (because pulumi has no visibility over the references/resource usage) - so not sure what the solution here would be exactly.

[lukehoban]

I'd love to do something like this.

In the past, we've discussed doing this at the pulumi-aws layer.

We could have serializeFunction in the core SDK return a list of captured resources (it already computes this for other reasons - just doesn't return it). Then the code in pulumi-aws that constructs a Lambda from a serialized function could use that list of resources to compute a minimum grant of permissions.

The biggest challenge would be enumerating the map from AWS resources to IAM permissions. This map is also likely evolving over time, and is not schematized anywhere.

This could be the default, with the current broad rights an opt-in (breaking change), or vice-versa (not a breaking change, but less useful).