The serverless documentation does not currently define the IAM permissions that the "serverless-admin" user needs in order to create and operate serverless projects. This is not unreasonable, as the project is currently in a period of rapid development where new features may need to take advantage of different aspects of the AWS suite.

As stated, there is the option to give the user full AWS administrator rights, but one then needs to be very careful with the credentials for the user if anything else is being done in the AWS account!

If one wants to avoid this risk, at the moment the following policies can be used.

 

AWS standard policies:

  • AWSLambdaFullAccess
  • AmazonAPIGatewayAdminstrator

 If you already have Lambda and/or API Gateway functionality in use, you may wish to review whether these rights can be tightened further.

 

Custom policies:

  • IAMRoleAccess - iam:GetRole*, iam:CreateRole*, iam:PutRolePolicy*, iam:DeleteRolePolicy*
  • AWSCloudFormationFullAccess - cloudformation:*

If you already have CloudFormation functionality in use, you may wish to review whether full access is essential or whether these rights can be tightened further.