Hello,
I often find myself writing / testing custom Python code that accesses AWS resources via boto3. I test the code locally under my own credentials, which are typically very permissive. Later, if I deploy this code to a cloud service such as ECS, EKS, Lambda, etc. I have to ensure that I've given that service appropriate IAM permissions to perform the required actions. Presently this is a somewhat slow and painful iterative process, where I read through the code to just see all the boto3 methods it calls and what resources are touched, and then create the appropriate policy.
My question is this: is there any way to run my script on my dev machine and log the IAM permissions used and the resources touched, such that I can just reference that log for a comprehensive list of the resources and permissions needed (at least for that specific run of the script, understanding that things could change if some of the resources are dynamic). This might be a hook into boto3.
This would be a huge time-saver. Any tips appreciated.
Thanks!
Andrei
AWS 官方已更新 1 年前