docs: add minimal permission set for using layer

Alex Melnyk · Alex Melnyk · commit e16c874917c2 · 2020-11-03T15:02:17.000+01:00
diff --git a/docs/content/index.mdx b/docs/content/index.mdx
@@ -51,6 +51,41 @@ This will add a nested app stack with an output parameter `LayerVersionArn`, tha
     - !GetAtt AwsLambdaPowertoolsPythonLayer.Outputs.LayerVersionArn
 ```
 
+Here is the list of IAM permissions that you need to add to your deployment IAM role to use the layer, keep in mind to replace the placeholders:
+
+```yaml
+Version: '2012-10-17'
+Statement:
+  - Sid: CloudFormationTransform
+    Effect: Allow
+    Action: cloudformation:CreateChangeSet
+    Resource:
+      - arn:aws:cloudformation:us-east-1:aws:transform/Serverless-2016-10-31
+  - Sid: GetCfnTemplate
+    Effect: Allow
+    Action:
+      - serverlessrepo:CreateCloudFormationTemplate
+      - serverlessrepo:GetCloudFormationTemplate
+    Resource:
+      - arn:aws:serverlessrepo:eu-west-1:057560766410:applications/aws-lambda-powertools-python-layer
+  - Sid: S3AccessLayer
+    Effect: Allow
+    Action:
+      - s3:GetObject
+    Resource:
+      - arn:aws:s3:::awsserverlessrepo-changesets-*/*
+  - Sid: GetLayerVersion
+    Effect: Allow
+    Action:
+      - lambda:PublishLayerVersion
+      - lambda:GetLayerVersion
+    Resource:
+      - arn:aws:lambda:YOUR_AWS_REGION:YOUR_AWS_ACCOUNT:layer:aws-lambda-powertools-python-layer*
+
+```
+
+The region and the account id for `CloudFormationTransform` and `GetCfnTemplat` are fixed.
+
 You can fetch the available versions via the API with:
 
 ```bash
