Adding your IAM Credentials
Seed needs your AWS IAM credentials to deploy your project on your behalf to your AWS account.
The IAM permissions that Seed requires is made up of:
- The permissions that Seed needs
- And the permissions SST or Serverless Framework needs to deploy your app
Seed can help you create an IAM role with the necessary credentials. Hit the Help me create an IAM Role link.
Review the permissions that Seed needs.
For reference here are the permissions Seed needs.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ManagePromoteChangeset",
"Effect": "Allow",
"Action": [
"cloudformation:GetTemplate",
"cloudformation:CreateChangeSet",
"cloudformation:DescribeChangeSet"
],
"Resource": [
{
"Fn::Sub": "arn:aws:cloudformation:*:${AWS::AccountId}:*"
}
]
},
{
"Sid": "ManageDeployedResources",
"Effect": "Allow",
"Action": [
"cloudformation:GetTemplate",
"cloudformation:ListStacks",
"cloudformation:ListStackResources",
"cloudformation:DescribeStacks",
"apigateway:GET"
],
"Resource": "*"
},
{
"Sid": "MonitorLogs",
"Effect": "Allow",
"Action": [
"apigateway:GET",
"lambda:GetFunction",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:GetQueryResults",
"logs:StartQuery",
"logs:StopQuery"
],
"Resource": "*"
},
{
"Sid": "MonitorMetrics",
"Effect": "Allow",
"Action": [
"apigateway:GET",
"cloudwatch:GetMetricData",
"cloudformation:ListStackResources"
],
"Resource": "*"
},
{
"Sid": "ManageIssues",
"Effect": "Allow",
"Action": [
"cloudformation:ListStackResources",
"cloudformation:DescribeStacks",
"logs:CreateLogGroup",
"logs:DescribeSubscriptionFilters",
"logs:PutSubscriptionFilter",
"logs:DeleteSubscriptionFilter",
"lambda:GetFunction"
],
"Resource": "*"
},
{
"Sid": "ManageAPICustomDomain",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets",
"acm:ListCertificates",
"acm:AddTagsToCertificate",
"acm:RequestCertificate",
"acm:DescribeCertificate",
"acm:DeleteCertificate",
"apigateway:GET",
"apigateway:POST",
"apigateway:DELETE",
"cloudfront:UpdateDistribution"
],
"Resource": "*"
},
{
"Sid": "ManageAPIAccessLog",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"apigateway:GET",
"apigateway:PATCH",
"logs:CreateLogGroup",
"logs:DescribeLogGroups"
],
"Resource": "*"
},
{
"Sid": "ManageAPIAccessLogIam",
"Effect": "Allow",
"Action": ["iam:AttachRolePolicy", "iam:PassRole"],
"Resource": [
{
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/APIGatewayLogsRole*"
}
]
}
]
}
Next, customize the permissions that SST or Serverless Framework needs to deploy your app. By default these permissions are very broad since this depends specifically on your app. If you are already using a set of IAM permissions to deploy, you can paste them here.
Alternatively, you can read the Customizing your IAM Policy chapter; to get a better idea on how to craft an airtight policy.
Once you are done customizing the permissions, Seed will put the two above sets of permissions together. And will help you create an IAM role using CloudFormation.
Hit the Create an IAM role using CloudFormation button.
This will redirect you to CloudFormation on your AWS Console.
Scroll down to the bottom of the page, hit the I acknowledge that AWS CloudFormation might create IAM resources. and click Create.
CloudFormation will now create a Seed IAM role. This will take a minute or two.
Once complete, expand the Outputs section. And copy the RoleArn.
Paste it back over on Seed.
Hit Add App to complete creating your app!
Help improve this page. Edit it with GitHub
Was this page helpful? Let us know via Twitter
Do your Serverless deployments take too long? Incremental deploys in Seed can speed it up 100x!
Learn More