627 B
627 B
I'm not sure what permissions are needed to create a UserPool. There is no AWS managed policies for creating/updating/deleting a UserPool. In the description of one of the managed Cognito policies, it says:
You will need AWS account admin privileges to create new Cognito resources.
For my testing, I used the AdministratorAccess managed policy.
To follow the principle of least privilege, it's not clear which actions Crossplane needs access to it. Here is a list of some areas that it might touch:
- cognito-identity
- cognito-ip
- cognito-sync
- iam
- kinesis
- lambda
- sns
- ses
- mobiletargeting
- acm
- sms-voice