github.com/webonyx/up@v0.7.4-0.20180808230834-91b94e551323/docs/02-aws-credentials.md

github.com/webonyx/up@v0.7.4-0.20180808230834-91b94e551323/docs/02-aws-credentials.md (about)

     1  ---
     2  title: AWS Credentials
     3  ---
     4  
     5  Before using Up you need to first provide your AWS account credentials so that Up is allowed to create resources on your behalf.
     6  
     7  ## AWS Credential Profiles
     8  
     9  Most AWS tools support the `~/.aws/credentials` file for storing credentials, allowing you to specify `AWS_PROFILE` environment variable so Up knows which one to reference. To read more on configuring these files view [Configuring the AWS CLI](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html).
    10  
    11  Here's an example of `~/.aws/credentials`, where `export AWS_PROFILE=myaccount` would activate these settings.
    12  
    13  ```
    14  [myaccount]
    15  aws_access_key_id = xxxxxxxx
    16  aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxx
    17  ```
    18  
    19  ### Best Practices
    20  
    21  You may store the profile name in the `up.json` file itself as shown in the following snippet:
    22  
    23  ```json
    24  {
    25    "name": "appname-api",
    26    "profile": "myaccount"
    27  }
    28  ```
    29  
    30  This is ideal as it ensures you will not accidentally deploy to a different AWS account.
    31  
    32  ## IAM Policy for Up CLI
    33  
    34  Below is a policy for [AWS Identity and Access Management](https://aws.amazon.com/iam/) which provides Up access to manage your resources. Note that the policy may change as features are added to Up, so you may have to adjust the policy.
    35  
    36  If you're using Up for a production application it's highly recommended to configure an IAM role and user(s) for your team, restricting the access to the account and its resources.
    37  
    38  <details>
    39    <summary>Show policy</summary>
    40  ```json
    41  {
    42      "Version": "2012-10-17",
    43      "Statement": [
    44          {
    45              "Effect": "Allow",
    46              "Action": [
    47                  "acm:*",
    48                  "cloudformation:Create*",
    49                  "cloudformation:Delete*",
    50                  "cloudformation:Describe*",
    51                  "cloudformation:ExecuteChangeSet",
    52                  "cloudformation:Update*",
    53                  "cloudfront:*",
    54                  "cloudwatch:*",
    55                  "ec2:*",
    56                  "ecs:*",
    57                  "events:*",
    58                  "iam:AttachRolePolicy",
    59                  "iam:CreatePolicy",
    60                  "iam:CreateRole",
    61                  "iam:DeleteRole",
    62                  "iam:DeleteRolePolicy",
    63                  "iam:GetRole",
    64                  "iam:PassRole",
    65                  "iam:PutRolePolicy",
    66                  "lambda:AddPermission",
    67                  "lambda:Create*",
    68                  "lambda:Delete*",
    69                  "lambda:Get*",
    70                  "lambda:InvokeFunction",
    71                  "lambda:List*",
    72                  "lambda:RemovePermission",
    73                  "lambda:Update*",
    74                  "logs:Create*",
    75                  "logs:Describe*",
    76                  "logs:FilterLogEvents",
    77                  "logs:Put*",
    78                  "logs:Test*",
    79                  "route53:*",
    80                  "route53domains:*",
    81                  "s3:*",
    82                  "ssm:*",
    83                  "sns:*"
    84              ],
    85              "Resource": "*"
    86          },
    87          {
    88              "Effect": "Allow",
    89              "Action": "apigateway:*",
    90              "Resource": "arn:aws:apigateway:*::/*"
    91          }
    92      ]
    93  }
    94  ```
    95  </details>