Chalice: Document required AWS policy for user
I guess AWSLambdaFullAccess and AmazonAPIGatewayAdministrator are required, something else too?
pmuilu
All 13 comments
You'll also need IAM access if you want chalice to create the roles/policies for you. I'll get the exact permissions documented.
jamesls
on 29 Jul 2016
I have managed to figure out some of the policy requirements for non-administration IAM users atleast for the IAM and APIGateway part (see below). I am also using the AWSLambdaFullAccess policy in conjunction. Hopefully this will help toward getting an all encompassing permission set rather than granting "full" access.
Custom policy named ChaliceAccess applied to IAM user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1471020565000",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1471020565001",
"Effect": "Allow",
"Action": [
"apigateway:GET",
"apigateway:HEAD"
],
"Resource": [
"arn:aws:apigateway:us-east-1::/restapis",
"arn:aws:apigateway:us-east-1::/restapis/*/resources",
"arn:aws:apigateway:us-east-1::/restapis/*/resources/*"
]
},
{
"Sid": "Stmt1471020565002",
"Effect": "Allow",
"Action": [
"apigateway:DELETE"
],
"Resource": [
"arn:aws:apigateway:us-east-1::/restapis/*/resources/*"
]
},
{
"Sid": "Stmt1471020565003",
"Effect": "Allow",
"Action": [
"apigateway:POST"
],
"Resource": [
"arn:aws:apigateway:us-east-1::/restapis/*/deployments",
"arn:aws:apigateway:us-east-1::/restapis/*/resources/*"
]
},
{
"Sid": "Stmt1471020565004",
"Effect": "Allow",
"Action": [
"apigateway:PUT"
],
"Resource": [
"arn:aws:apigateway:us-east-1::/restapis/*/methods/GET",
"arn:aws:apigateway:us-east-1::/restapis/*/methods/GET/*",
"arn:aws:apigateway:us-east-1::/restapis/*/methods/POST",
"arn:aws:apigateway:us-east-1::/restapis/*/methods/POST/*",
"arn:aws:apigateway:us-east-1::/restapis/*/methods/PUT",
"arn:aws:apigateway:us-east-1::/restapis/*/methods/PUT/*"
]
}
]
}
dssp301
on 13 Aug 2016
馃憤 @dssp301 mind making a pr for that policy for future searchers?
josegonzalez
on 14 Nov 2016
I'm getting an error about not being authorized to perform iam:PassRole which I don't see listed in the IAM section.
pcolmer
on 13 Dec 2016
I found that this worked for me. Happy to send a PR, as well.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1471020565000",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:GetRole"
],
"Resource": [
""
]
},
{
"Sid": "Stmt1471020565001",
"Effect": "Allow",
"Action": [
"apigateway:GET",
"apigateway:HEAD"
],
"Resource": [
"arn:aws:apigateway:AWS_REGION::/restapis",
"arn:aws:apigateway:AWS_REGION::/restapis//resources",
"arn:aws:apigateway:AWS_REGION::/restapis//resources/"
]
},
{
"Sid": "Stmt1471020565002",
"Effect": "Allow",
"Action": [
"apigateway:DELETE"
],
"Resource": [
"arn:aws:apigateway:AWS_REGION::/restapis//resources/"
]
},
{
"Sid": "Stmt1471020565003",
"Effect": "Allow",
"Action": [
"apigateway:POST"
],
"Resource": [
"arn:aws:apigateway:AWS_REGION::/restapis//deployments",
"arn:aws:apigateway:AWS_REGION::/restapis//resources/"
]
},
{
"Sid": "Stmt1471020565004",
"Effect": "Allow",
"Action": [
"apigateway:PUT"
],
"Resource": [
"arn:aws:apigateway:AWS_REGION::/restapis//methods/GET",
"arn:aws:apigateway:AWS_REGION::/restapis//methods/GET/",
"arn:aws:apigateway:AWS_REGION::/restapis//methods/POST",
"arn:aws:apigateway:AWS_REGION::/restapis//methods/POST/",
"arn:aws:apigateway:AWS_REGION::/restapis//methods/PUT",
"arn:aws:apigateway:AWS_REGION::/restapis//methods/PUT/"
]
}
]
shreyaskarnik
on 12 Apr 2017
Update on this? I know chalice will auto-update its policy, but what does it need to get going?
lukeed
on 18 Oct 2017
I am experiencing access denied problems when trying to deploy with Chalice. I am not exactly sure what are the least necessary policies in my IAM user to make this work, I cannot find it anywhere in the documentation...
@jamesls Is there any document with the exact permissions needed listed?
aalvrz
on 1 Nov 2017
How do either of those policies work without iam:CreateRole? If Chalice is creating/managing the role on your behalf, access to this resource would be a must
bryantbiggs
on 12 Jun 2018
This issue has been open for nearly 2 years and still the credentials section is gravely under documented: https://github.com/aws/chalice#credentials
Amazon should know that not providing a clear policy document/walk-through is an excellent way for accounts to be exploited, by those users who "just want to get something up and working", they inevitably end up providing dangerous amounts of access to their IAM users, and never go back to fix those permissions.
I shudder to think how many people are using a CLI user with AdministratorAccess to deploy their chalice apps.
sparkcodeuk
on 17 Jul 2018
Hi Folks. FWIW I just had a not-very-entertaining afternoon getting the Chalice demo to run. The ChaliceAccess policies posted here previously didn't work for me until I made a bunch of changes. Here's what I came up with:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:PassRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"apigateway:GET",
"apigateway:POST"
],
"Resource": [
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources/*"
]
},
{
"Effect": "Allow",
"Action": "apigateway:DELETE",
"Resource": "arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources/*"
},
{
"Effect": "Allow",
"Action": "apigateway:POST",
"Resource": [
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/deployments",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources/*"
]
},
{
"Effect": "Allow",
"Action": "apigateway:PUT",
"Resource": [
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/GET",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/GET/*",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/POST",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/POST/*",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/PUT",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/PUT/*"
]
},
{
"Effect": "Allow",
"Action": "lambda:*",
"Resource": "*"
}
]
}
Agreed that without better documentation - or at least a managed policy - people will be tempted to throw admin roles around just to get the basics working (I was really tempted!)
Also, if you're using an account with MFA check out aws-mfa before going anywhere near Chalice.
adamstimb
on 4 Feb 2019
In my case, @adamstimb's policy from https://github.com/aws/chalice/issues/59#issuecomment-460289946 failed with this error:
An error occurred (AccessDeniedException) when calling the UpdateRestApi
operation: User: arn:aws:iam::000000000:user/xxxxx is not authorized to
perform: apigateway:PATCH on resource: arn:aws:apigateway:xxxx::/restapis/xxxx
Adding the following fixed the issue:
{
"Effect": "Allow",
"Action": "apigateway:PATCH",
"Resource": "arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*"
}
Here's what I ended up with:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"lambda:*",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"apigateway:POST",
"apigateway:GET"
],
"Resource": [
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources/*"
]
},
{
"Effect": "Allow",
"Action": "apigateway:DELETE",
"Resource": "arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources/*"
},
{
"Effect": "Allow",
"Action": "apigateway:POST",
"Resource": [
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/deployments",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/resources/*"
]
},
{
"Effect": "Allow",
"Action": "apigateway:PUT",
"Resource": [
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/GET",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/GET/*",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/POST",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/POST/*",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/PUT",
"arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*/methods/PUT/*"
]
},
{
"Effect": "Allow",
"Action": "apigateway:PATCH",
"Resource": "arn:aws:apigateway:YOUR-AWS-REGION::/restapis/*"
}
]
}
suud
on 25 Mar 2020
I've created a gist with the IAM policy that's worked for me: https://gist.github.com/walkermatt/68104f2c2a921b1b2fa80df0a73d7147
walkermatt
on 25 Feb 2021
Thanks @walkermatt, worked for me too
vanishinggradient
on 3 Mar 2021
Related issues
laolsson
路
4Comments
jarretraim
路
3Comments
vrinda1410
路
3Comments
Erstwild
路
4Comments
calz1
路
3Comments
Most helpful comment
This issue has been open for nearly 2 years and still the credentials section is gravely under documented: https://github.com/aws/chalice#credentials
Amazon should know that not providing a clear policy document/walk-through is an excellent way for accounts to be exploited, by those users who "just want to get something up and working", they inevitably end up providing dangerous amounts of access to their IAM users, and never go back to fix those permissions.
I shudder to think how many people are using a CLI user with AdministratorAccess to deploy their chalice apps.