Is there documentation for the AWS Permissions required for push and deploy ?

Question

The title says it all.

Answer 1

For now there is no such a thing, sadly. This is also why this feature request was issued a while ago.

For now you'll have to use a dedicated IAM role/user with the built-in Administrator and PowerUser policies (as per Access Control docs section).

Assigning just the Datomic Administrator Policy (datomic-admin-...) and datomic-code-... permissions will result in the following error upon Push:

{:message
 "Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 2YP8M87C0385R93H; S3 Extended Request ID: +dHQtObBUaq/T7BH7lWKNALPOCNULLd1uYy0PkXoVCeQ9A8hmilVo3KpNhtnGSOxbXB/NhPzQCI=; Proxy: null)",
 :class AmazonS3Exception}

That said, you are forced to leak access keys with a full DB administrator control to all your system developers and CI/CD operators, which is not that "least privileged" as one would probably like. Or I may be missing something here...

Comments

I've finally managed to compose a "least privilege" set of permissions that makes it possible to push a revision into CodeDeploy, and then, by accident, found a more detailed one that should as well allow to deploy the revision, create Lambda, check status, etc. Here it is, in the Vouch's Open Source GH repo:
https://github.com/vouch-opensource/datomic-ions-deploy#aws-iam-permissions