SST uses your AWS credentials to run the Live Lambda Development environment and deploy your app. Let's take a look at how to load these credentials, creating an IAM policy for SST, and the basic set of permissions that all CDK apps need.
There are a few different ways to set the credentials that SST will use. Starting with the simplest.
You can keep you AWS credentials in a file. The credentials are found at:
~/.aws/credentialson Linux, Unix, and macOS;
If the credentials file does not exist on your machine:
The credentials file should look like:
And if you have multiple credentials configured, it might look like:
By default, SST uses the credentials for the
[default] profile. To use one of the other profiles, set the
AWS_PROFILE environment variable. For example:
SST automatically detects AWS credentials in your environment and uses them for making requests to AWS. The environment variables that you need to set are:
If you are using AWS Vault to store your IAM credentials locally, it needs to be MFA authenticated. Add the
mfa_serial property in your AWS config file. This will cause AWS Vault to prompt for the MFA token.
If you are using Leapp to store your IAM credentials in your local environment, the IAM credentials need to be MFA authenticated.
MFA Device ARN when adding the credentials.
Then Leapp will prompt for the MFA token when enabling the session.
There are 4 strategies you can use to decide what IAM permissions you want to grant SST. The decision is primarily based on your use case and your team's security requirement.
Use this strategy if you are deploying to a development AWS account, and you want to try out SST quickly.
You can grant permissions to the AWS services you are using. This strategy prevents you from creating, updating, or removing AWS resources outside the scope of your app.
For example, to create a CRUD API endpoint that uses DynamoDB, the following permissions are required:
If you decide to enable custom domains for the API endpoint, a couple more permissions are required:
The general idea of this strategy is to grant a broad permissions policy for the IAM user or role at first. Use it to deploy the SST app for some time. Then let IAM Access Analyzer analyze your CloudTrail events to identify actions and services that have been used by the IAM user or role. The analyzer will generate an IAM policy that is based on that activity. You can then replace the policy with the generated one.
You can read more about the steps required here - https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html
By default, CloudFormation uses a set of temporary IAM credentials generated from your IAM credentials to deploy your stacks. So your IAM credentials need to have all the required permissions that CloudFormation in turn needs.
Instead, you can create an IAM role to explicitly specify the actions that CloudFormation can perform, which might not always be the same actions that you or other users can do.
For example, you might have full
AdministratorAccess permission, but you can limit CloudFormation access to only a subset of privileges.
Alternatively, you might not want everyone on the team to have the permissions to create Lambda functions directly in the AWS console or via AWS CLI, but they can trigger a deployment, and let CloudFormation create Lambda functions as part of the SST app.
In addition to the permissions required to deploy your SST app, you also need permissions to deploy the resources in the CDK Bootstrap stack, and the SST Debug stack.
The CDK Bootstrap stack needs to be deployed once per AWS account, per region. It will be automatically deployed the first time you run
sst deploy. The stack contains the following AWS resources:
The SST Debug stack is deployed along your SST app when you run
sst start. The stack contains the following AWS resources:
These resources power the Live Lambda Development environment. You can read more about it here.