Deployment Permissions
Deployment Permissions
AWS
After attempting to document individually the AWS IAM permissions required to deploy and destroy The DeRF via terraform, I gave up when the list of permissions became extensive and were "effective admin".
I am recommending The DeRF be deployed to an targeted AWS Account with a user having the AdministratorAccess Managed Policy.
GCP Deployment
Below are the Google Managed Roles required to deploy the DeRF into a Google Project. It does not take into account the permissions required to create the project in the first place.
- roles/secretmanager.admin applied at the Project-Level
- Required to create Secrets used to store AWS Access Key Id and Secrets and assign Roles at the Secret-Level.
- roles/run.admin applied at the Project-Level
- Required to deploy the Cloud Run
aws-proxy-app
- Required to deploy the Cloud Run
- roles/artifactregistry.admin applied at the Project-Level
- Required when triggering Cloud Builds to store built image artifacts
- roles/workflows.admin applied at the Project-Level
- Required to deploy and invoke Google Workflows
- roles/resourcemanager.projectIamAdmin applied at the Project-Level
- Required to set IAM Policy at the Project level.