-
Notifications
You must be signed in to change notification settings - Fork 38
-
Hi!👋
I'm trying out forame, and starting with a least-privilege account, I finally succeeded in creating the S3 bucket in the tutorial!
However, the formae agent is logging an error, probably because it's trying to discover resources but doesn't have the necessary permissions. So I thought it might be more user-friendly if the formae agent documented the minimum permissions it requires!
... 2025年11月30日T10:33:01+09:00 ERR PluginOperator: failed to list resources of type AWS::RDS::DBInstance in target my-default-aws-target with list paramete rs map[]: operation error CloudControl: ListResources, https response error StatusCode: 400, RequestID:... because no identity-based policy allows the cloudformation:ListResources action [pid= ...
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 1 comment 1 reply
-
Hi @ddddddO! 👋
Great suggestion, thank you for taking the time to report this! We've created an issue (#101) to enhance our documentation with IAM permission requirements.
Quick answer for now:
The AWS plugin uses the Cloud Control API for resource operations. While Cloud Control is a separate API from CloudFormation, AWS placed its IAM permissions in the cloudformation: namespace (e.g. cloudformation:ListResources)
For the full list of required permissions and example IAM policies, see the AWS Cloud Control API Security documentation.
Workaround for now:
If you don't need automatic discovery for the time being, you can disable it by creating a config file at ~/.config/formae/formae.conf.pkl:
amends "formae:/Config.pkl" agent { discovery { enabled = false } }
Beta Was this translation helpful? Give feedback.
All reactions
-
❤️ 1
-
@browdues
I see! Thanks for letting me know!
Beta Was this translation helpful? Give feedback.