Minimum Permissions for CDK Bootstrap
I just knew people shouldn't need to use "AdministratorAccess" permissions to simply bootstrap an AWS account, and I couldn't find a definitive example anywhere.
Not from AWS themselves, or their documentation, or any examples, or anyone else in tutorials mentioning the actual minimum permissions. So I went on my own journey.
This is the minimum required permissions to cdk bootstrap and AWS account and region:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "0",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:CreateChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:GetTemplate"
],
"Resource": "arn:aws:cloudformation:<REGION>:<ACCOUNT_NUMBER>:stack/CDKToolkit/*"
}
]
}Methodology:
- Create an IAM user
- Provision and record the Access Key ID and Access Key Secret
- Provide NO permissions at all.
- Attempt to bootstrap a region.
- Note the failure, and the permission that was missing
- Add that to the user's policy directly attached to the user
- Re-run the bootstrap command.
- Repeat as needed until successful