Document required IAM permissions for CloudFormation. (#751)

maciejwalkowiak · web-flow · commit a0a7182cfda6 · 2020-12-15T22:51:05.000-06:00
diff --git a/docs/src/main/asciidoc/cloudformation.adoc b/docs/src/main/asciidoc/cloudformation.adoc
@@ -188,3 +188,47 @@ with a special setup. The client itself can be configured using the `amazon-clou
 	</bean>
 </beans>
 ----
+
+=== IAM Permissions
+Following IAM permissions are required by Spring Cloud AWS:
+
+[cols="2"]
+|===
+| Describe stacks
+| `cloudformation:DescribeStacks`
+
+| List stack resources
+| `cloudformation:ListStackResources`
+
+| Describe stack resources
+| `cloudformation:DescribeStackResources`
+
+| Describe EC2 tags
+| `ec2:DescribeTags`
+
+|===
+
+Sample IAM policy granting access to CloudFormation:
+
+[source,json,indent=0]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+              "cloudformation:ListStackResources",
+              "cloudformation:DescribeStackResources",
+              "cloudformation:DescribeStacks"
+            ],
+            "Resource": "stack-arn"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "ec2:DescribeTags",
+            "Resource": "*"
+        }
+    ]
+}
+----
