[bfeynman]

... You seriously just tell people to deploy a stack with your IAM role that "has the least permissions possible" good luck lol. Another thin wrapper around open-ai that doesn't even do the heavy lifting (deploying a secure and trusted authenticated role to access resources that can be easily audited etc)

[cddotdotslash]

For what it’s worth, literally every vendor that operates in its customers’ AWS accounts does this. Create a cross account role, trust the vendor’s account, and give it read only permissions (although don’t use the built in “read only” role since that includes access to things like S3 objects.

[baq]

At my current job I can trigger a pipeline to deploy a complex set of cloud formation stacks but my account doesn’t have access to logs of those deployments. Devops!

[regiswilson]

Release engineer here. You can pretty easily audit the policy we use (Read-Only) and you can also add a permissions boundary if you want. We would love to get any feedback and improvements you can offer if you are inclined. We have a slack workspace users can join, check it out. https://release-ai.slack.com