I'm currently deploying AWS infrastructure using Terraform stored in a GitHub repo and leveraging GitHub Actions with OIDC for running the Terraform code. Initially, I set the IAM role permissions for the GitHub Action to be quite broad, which worked but isn't really secure. My setup looks something like this:
"Action": [
"ec2:*",
"sts:*"
]
While testing, it has become a hassle to add permissions every time a GitHub Action fails due to missing IAM privileges. Is there a more efficient way to figure out the specific permissions needed for my IAM role without the trial-and-error approach? I was thinking about IAM Access Analyzer but wanted to see if anyone has better suggestions or best practices before I dive into that.
4 Answers
Check out Pike! It’s super handy, and you can point it at your Terraform setup to automatically generate a minimal IAM policy that fits your needs. Here’s the link: [Pike GitHub](https://github.com/JamesWoolfenden/pike).
I like using resource tags for environment names during deployments. It makes tracking much easier and helps you set permissions based on those tags.
Here’s a thought: if you’re really worried about security, it might be better not to give GitHub direct write access to AWS at all. Consider giving CodeBuild read-only access to your source instead; it’s cleaner from an audit perspective and generally safer.
When I test, I often start with more permissions too, like you did. Then I check CloudTrail to see what actions were called and use that to narrow down the permissions. IAM Access Analyzer is also worth looking into; it can help create policies based on CloudTrail activities for better scoping.
I’ve had some issues with Access Analyzer too, but it can be a good starting point. Just keep in mind sometimes it might not generate the exact permissions you need, like for Route 53.