I'm planning on creating a smoke-test that runs using a GitHub actions workflow to test my EKS cluster infrastructure as code, but I don't know what should be the minimum permissions my Terraform environment requires to successfully apply.
I do NOT want to give my workflow to many permissions for security reasons!
Is there an easy way to figure out which permissions I do require?
Using CSM (Client Side Metrics) you can monitor clientside which api calls are done from your terraform scripts.
This can be enabled using:
export AWS_CSM_ENABLED=true
When running anything that interracts with AWS from this terminal a event will be recceived on localhost port 31000.
Now open a second terminal and run netcat to monitor for traffic on the monitoring server.
nc -kluvw 1 localhost 31000
In your original terminal where you exported the variable now try running a AWS command. E.g.
aws sts get-caller-identity
In the other terminal you now see which api calls are involved with this command. E.g.:
{"Version":1,"ClientId":"","Type":"ApiCallAttempt","Service":"STS","Api":"GetCallerIdentity","Timestamp":1652343233117,"AttemptLatency":116,"Fqdn":"sts.eu-west-1.amazonaws.com","UserAgent":"aws-cli/2.6.3 Python/3.9.12 Darwin/21.4.0 source/x86_64 prompt/off command/sts.get-caller-identity","AccessKey":"**********","Region":"eu-west-1","SessionToken":"*******
{"Version":1,"ClientId":"","Type":"ApiCall","Service":"STS","Api":"GetCallerIdentity","Timestamp":1652343233116,"AttemptCount":1,"Region":"eu-west-1","UserAgent":"aws-cli/2.6.3 Python/3.9.12 Darwin/21.4.0 source/x86_64 prompt/off command/sts.get-caller-identity","FinalHttpStatusCode":200,"Latency":117,"MaxRetriesExceeded":0}
However this still doesn't tell you exactly which IAM permissions you will need. Luckily there is another tool that allows you to live capture all api calls and write these to an AWS policy json. See: https://github.com/iann0036/iamlive
With a ~/.aws/config profile you can run the following to listen for all events.
Don't forget to SIGHUP (ctrl+c) netcat as only one process can listen on the port.
iamlive --set-ini --profile my-profile --output-file policy.json --refresh-rate 5
Or just using default if you don't use a profile.
iamlive --set-ini --output-file policy.json --refresh-rate 5
Now in the terminal with the AWS_CSM_ENABLED exported you can run your terraform commands. Now you will see all the permissions being live added to the policy.
When finished you can do ctrl+c to SIGHUP the iamlive command and have the policy written to the given --output-file argument.
To get an idea of how to use this policy checkout this project that sets up an oidc provider for a given git repository allowing that repository access to the AWS resources defined in this policy.
Now you can setup an oidc-provider on the AWS side and authenticate your workflow to get the finegrained permissions.
How OIDC helps hardening your workflow security
What to configure on the AWS side