Least-Privilege AWS IAM Permissions

[0xbad53c]

Hi folks,

Lithops seems like a great project, but I'm having some trouble getting started and was hoping someone could shed a light on this.

In the docs, I read that I should attach the following permissions to a role if I would like to use Lithops together with Lambda. However, granting full permissions on all resources in e.g. S3 and EC2 appears to be quite extensive. Is this really required for this purpose? I could not find a real reason in the documentation so far, so I'm assuming these Lambda functions will only interact with Lambda and a single S3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "lambda:*",
                "ec2:*",
                "ecr:*",
                "sts:GetCallerIdentity",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

Furthermore, the documentation specifies Lithops requires an AWS access key and secret to function but not what kind of privileges should be linked to this identity. Is there a documented least privilege approach that I can follow?

Meanwhile, I will keep reading the source code!

[RichardScottOZ]

I have been looking at this for ec2..am assuming that working through all the failures for a user with some permissions added as necessary will give this. Not up to the storage part yet.

[RichardScottOZ]

that looks something like this currently - not got to a container part as yet, so would have to add various ecr/ecs permissions

#note this will need ecr and lamba and roles as necessary for other things

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": [
                                "s3:ListBucket",
                                "s3:GetObject",
                                "s3:PutObject",                
				"ec2:TerminateInstances",
				"ec2:DeleteTags",
				"ec2:CreateTags",
				"ec2:RunInstances",
				"ec2:DescribeVpcs",
				"ec2:CreateVpc",
				"ec2:CreateSubnet",
				"ec2:DescribeInternetGateways",
				"ec2:CreateInternetGateway",
				"ec2:DescribeRouteTables",
				"ec2:AssociateRouteTable",
				"ec2:DescribeSecurityGroups",
				"ec2:ImportKeyPair",
				"ec2:DescribeImages",
				"ec2:DescribeSpotPriceHistory",
				"ec2:DescribeInstanceTypes",
				"ec2:DescribeInstances",
				"ec2:DescribeSubnets",
				"ec2:DescribeKeyPairs",
				"ec2:StartInstances",
				"ec2:StopInstances",
				"ec2:RequestSpotInstances",
				"ec2:CreateImage"
			],
			"Resource": "*"
		}
	]
}