What IAM permissions are needed to use CDK Deploy?

Question

My team has a pipeline which runs under an execution IAM role. We want to deploy code to AWS through CloudFormation or the CDK.

In the past, we would upload some art

Answer 1

Since I couldn't find any documentation anywhere I had to do some trial and error to get this to work.

Apart from the permissions you need to create the actual resources you define in your stack, you need to give the following:

cloudformation:DescribeStacks
cloudformation:CreateChangeSet
cloudformation:DescribeChangeSet
cloudformation:ExecuteChangeSet
cloudformation:DescribeStackEvents
cloudformation:DeleteChangeSet

To the stack ARN you are creating, as well as the bootstrap stack:

arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/CDKToolkit/*

You also need s3 permissions to the bucket that the boostrap added (otherwise you get that dreaded Forbidden: null error):

s3:*Object
s3:ListBucket1
s3:GetBucketLocation

to

arn:aws:s3:::cdktoolkit-stagingbucket-*