Minimum IAM permissions required for Spacelift AWS role

Last updated: September 15, 2025

When setting up Spacelift to manage AWS resources, you don't need to grant Administrator access to the IAM role. The minimum permissions required depend on your specific use case and the resources your Terraform configurations manage.

Baseline Requirements

The minimum baseline permissions include:

  • The ability to assume the role

  • Permissions for your Terraform state backend (if managing state yourself):

    • S3 read/write permissions for state files

    • DynamoDB read/write permissions for state locking

Resource-Specific Permissions

Beyond the baseline, the required permissions depend on what AWS resources your Terraform stacks are creating or modifying. For example:

  • EC2-related actions if provisioning compute instances

  • RDS actions if creating databases

  • VPC actions if managing networking resources

Fine-Tuning Permissions

To determine the exact permissions needed for your use case:

  1. Start with a broader policy that covers your expected resource types

  2. Let your Spacelift runs execute

  3. Use AWS CloudTrail's policy generation feature (IAM Access Analyzer) to review exactly which API calls were made

  4. Iteratively tighten the role permissions down to a least-privilege set based on the actual API calls

This approach ensures you grant only the minimum permissions necessary while avoiding the security risks of overly broad Administrator access.