Least-Privilege AWS IAM Permissions #1394
Description
Hi folks,
Lithops seems like a great project, but I'm having some trouble getting started and was hoping someone could shed a light on this.
In the docs, I read that I should attach the following permissions to a role if I would like to use Lithops together with Lambda. However, granting full permissions on all resources in e.g. S3 and EC2 appears to be quite extensive. Is this really required for this purpose? I could not find a real reason in the documentation so far, so I'm assuming these Lambda functions will only interact with Lambda and a single S3 bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"lambda:*",
"ec2:*",
"ecr:*",
"sts:GetCallerIdentity",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
Furthermore, the documentation specifies Lithops requires an AWS access key and secret to function but not what kind of privileges should be linked to this identity. Is there a documented least privilege approach that I can follow?
Meanwhile, I will keep reading the source code!