www/src/content/docs/docs/iam-credentials.mdx
SST deploys your AWS resources using your AWS credentials. In this guide we'll look at how to set these credentials, the basic set of permissions it needs, and how to customize it.
There are a couple of different ways to set the credentials that your app will use. The simplest is using a credentials file.
However, if you're still figuring out how to configure your AWS account, we recommend following our guide on it.
By default, your AWS credentials are in a file:
~/.aws/credentials on Linux, Unix, macOSC:\Users\USER_NAME\.aws\credentials on WindowsIf the credentials file does not exist on your machine.
Below we'll look at how to customize the permissions that are granted to this user.
Your credentials file might look like:
[default]
aws_access_key_id = <YOUR_ACCESS_KEY_ID>
aws_secret_access_key = <YOUR_SECRET_ACCESS_KEY>
Where default is the name of the credentials profile.
And if you have multiple credentials, it might look like:
[default]
aws_access_key_id = <DEFAULT_ACCESS_KEY_ID>
aws_secret_access_key = <DEFAULT_SECRET_ACCESS_KEY>
[staging]
aws_access_key_id = <STAGING_ACCESS_KEY_ID>
aws_secret_access_key = <STAGING_SECRET_ACCESS_KEY>
[production]
aws_access_key_id = <PRODUCTION_ACCESS_KEY_ID>
aws_secret_access_key = <PRODUCTION_SECRET_ACCESS_KEY>
By default, SST uses the credentials for the default profile. To use one of the other profiles, set the profile in your sst.config.ts.
{
providers: {
aws: {
profile: "staging"
}
}
}
You can customize this for the stage your app is being deployed to.
app(input) {
return {
// ...
providers: {
aws: {
profile: input?.stage === "staging" ? "staging" : "default"
}
}
};
},
If you've configured AWS credentials previously through the AWS_PROFILE environment variable or through a .env file, it will override the profile set in your sst.config.ts. So make sure to remove any references to AWS_PROFILE.
SST can also detect AWS credentials in your environment and use them to deploy.
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYIf you are using temporary credentials, you can also set the AWS_SESSION_TOKEN.
This is useful when you are deploying through a CI environment and there are no credential files around.
If you have AWS credentials set in multiple places, SST will first look at:
Environment variables
This includes AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or AWS_SESSION_TOKEN, and AWS_PROFILE. This also includes environment variables set in a .env file.
SST config
Then it'll check for the credentials or profile in your sst.config.ts.
AWS config
It'll then check for the [default] profile in your ~/.aws/config or C:\Users\USER_NAME\.aws\config.
Credential files
Finally, it'll look for any static credentials in your ~/.aws/credentials or C:\Users\USER_NAME\.aws\credentials.
The credentials above are for an IAM user and it comes with an IAM policy. This defines what resources the given user has access to. By default, we are using AdministratorAccess. This gives your user complete access.
However, if you are using SST at your company, you want to secure these permissions. Here we'll look at exactly what SST needs and how you can go about customizing it.
Let's start with an IAM policy you can copy and paste.
<details> <summary>**Copy IAM Policy**</summary>{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ManageBootstrapStateBucket",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutBucketVersioning",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::sst-state-*"
]
},
{
"Sid": "ManageBootstrapAssetBucket",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutBucketVersioning",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::sst-asset-*"
]
},
{
"Sid": "ManageBootstrapECRRepo",
"Effect": "Allow",
"Action": [
"ecr:CreateRepository",
"ecr:DescribeRepositories"
],
"Resource": [
"arn:aws:ecr:REGION:ACCOUNT:repository/sst-asset"
]
},
{
"Sid": "ManageBootstrapSSMParameter",
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:PutParameter"
],
"Resource": [
"arn:aws:ssm:REGION:ACCOUNT:parameter/sst/passphrase/*",
"arn:aws:ssm:REGION:ACCOUNT:parameter/sst/bootstrap"
]
},
{
"Sid": "Deployments",
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
]
},
{
"Sid": "ManageSecrets",
"Effect": "Allow",
"Action": [
"ssm:DeleteParameter",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath",
"ssm:PutParameter",
"ssm:AddTagsToResource",
"ssm:ListTagsForResource"
],
"Resource": [
"arn:aws:ssm:REGION:ACCOUNT:parameter/sst/*"
]
},
{
"Sid": "LiveLambdaSocketConnection",
"Effect": "Allow",
"Action": [
"appsync:EventSubscribe",
"appsync:EventPublish",
"appsync:EventConnect"
],
"Resource": [
"*"
]
}
]
}
This list roughly breaks down into the following:
Let's look at them in detail.
SST needs to bootstrap each AWS account, in each region, once. This happens automatically when you run sst deploy or sst dev.
There are a couple of different things being bootstrapped and these are the permissions they need:
Permissions to create the bootstrap bucket for storing state.
{
"Sid": "ManageBootstrapStateBucket",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutBucketVersioning",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::sst-state-*"
]
}
Permissions to create the bootstrap bucket for storing the assets in your app. These include the Lambda function bundles and static assets in your frontends.
{
"Sid": "ManageBootstrapAssetBucket",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutBucketVersioning",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::sst-asset-*"
]
}
Permissions to create the bootstrap ECR repository for hosting the Docker images in your app.
{
"Sid": "ManageBootstrapECRRepo",
"Effect": "Allow",
"Action": [
"ecr:CreateRepository",
"ecr:DescribeRepositories"
],
"Resource": [
"arn:aws:ecr:REGION:ACCOUNT:repository/sst-asset"
]
}
Permissions to create the bootstrap SSM parameter. This parameter stores information about the deployed bootstrap resources.
{
"Sid": "ManageBootstrapSSMParameter",
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:PutParameter"
],
"Resource": [
"arn:aws:ssm:REGION:ACCOUNT:parameter/sst/passphrase/*",
"arn:aws:ssm:REGION:ACCOUNT:parameter/sst/bootstrap"
]
}
The permissions that SST needs to deploy the resources in your app, depends on what you have in your app.
The following block is placed as a template in the IAM policy above for you to customize.
{
"Sid": "Deployments",
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
]
}
Below we'll look at how you can try customizing this.
The SST CLI also makes some AWS SDK calls to your account. Here are the IAM permissions it needs.
Permissions to manage your secrets.
{
"Sid": "ManageSecrets",
"Effect": "Allow",
"Action": [
"ssm:DeleteParameter",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath",
"ssm:PutParameter",
"ssm:AddTagsToResource",
"ssm:ListTagsForResource"
],
"Resource": [
"arn:aws:ssm:us-east-1:112233445566:parameter/sst/*"
]
}
And permissions to connect to the AppSync endpoint in sst dev to run your functions Live.
{
"Sid": "LiveLambdaSocketConnection",
"Effect": "Allow",
"Action": [
"appsync:EventSubscribe",
"appsync:EventPublish",
"appsync:EventConnect"
],
"Resource": [
"*"
]
}
Editing the above policy based on the resources you are adding to your app can be tedious. Here's an approach to consider.
Sandbox accounts
Start by creating separate AWS accounts for your teammates for their dev usage. In these sandbox accounts, you can grant AdministratorAccess. This avoids having to modify their permissions every time they make some changes.
IAM Access Analyzer
For your staging accounts, you can start by granting a broad permissions policy. Then after deploying your app and allowing it to run for a period of time. You can use your CloudTrail events to identify the actions and services used by that IAM user. The IAM Access Analyzer can then generate an IAM policy based on this activity, which you can use to replace the original policy.
You can now use this for your production accounts. Learn more about how to use the IAM Access Analyzer.
In general, you want to make sure you audit the IAM permissions you are granting on a regular basis.