David Poindexter's profile image, displayed in a round border
I'm David, a software engineer and cloud architect.
I specialize in serverless development, cloud architecture and implementation, and write about my experiences along the way.

I just knew people shouldn’t need to use “AdministratorAccess” permissions to simply bootstrap an AWS account, and I couldn’t find a definitive example anywhere.

Not from AWS themselves, or their documentation, or any examples, or anyone else in tutorials mentioning the actual minimum permissions. So I went on my own journey.

This is the minimum required permissions to cdk bootstrap and AWS account and region:

Github Gist Link

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "0",
      "Effect": "Allow",
      "Action": [
        "cloudformation:DescribeStacks",
        "cloudformation:CreateChangeSet",
        "cloudformation:DescribeChangeSet",
        "cloudformation:ExecuteChangeSet",
        "cloudformation:GetTemplate"
      ],
      "Resource": "arn:aws:cloudformation:<REGION>:<ACCOUNT_NUMBER>:stack/CDKToolkit/*"
    }
  ]
}

Methodology:

  1. Create an IAM user
  2. Provision and record the Access Key ID and Access Key Secret
  3. Provide NO permissions at all.
  4. Attempt to bootstrap a region.
  5. Note the failure, and the permission that was missing
  6. Add that to the user’s policy directly attached to the user
  7. Re-run the bootstrap command.
  8. Repeat as needed until successful