Permissions
This document lists the minimum set of permissions required for MultiTool to operate end-to-end. MultiTool never stores your cloud credentials and relies solely on local credentials to interact with your cloud provider.
Cloudflare
MultiTool requires you to pass in a Cloudflare API Token using the --cloudflare-api-token CLI flag.
To create a new token in Cloudflare, follow Cloudflare's instructions .
Your token will need at least 2 permissions:
| Target | Resource | Permission |
|---|---|---|
| Account | Workers Observability | Read |
| Account | Workers Scripts | Edit |
AWS
MultiTool uses an authenticated CLI session for your AWS credentials. The following IAM policy defines the least privilege access MultiTool needs to function correctly:
For help creating an IAM policy, see Create IAM policies (console) in the AWS docs.
json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "multitoolminimumpermissions",
"Effect": "Allow",
"Action": [
"apigateway:*",
"apigateway:AddCertificateToDomain",
"apigateway:CreateAccessAssociation",
"apigateway:DELETE",
"apigateway:GET",
"apigateway:PATCH",
"apigateway:POST",
"apigateway:PUT",
"apigateway:RejectAccessAssociation",
"apigateway:RemoveCertificateFromDomain",
"apigateway:SetWebACL",
"apigateway:UpdateDomainNameManagementPolicy",
"apigateway:UpdateDomainNamePolicy",
"apigateway:UpdateRestApiPolicy",
"cloudwatch:CreateServiceLevelObjective",
"cloudwatch:DeleteMetricStream",
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:DescribeAnomalyDetectors",
"cloudwatch:DescribeInsightRules",
"cloudwatch:GenerateQuery",
"cloudwatch:GetDashboard",
"cloudwatch:GetInsightRuleReport",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricStream",
"cloudwatch:GetMetricWidgetImage",
"cloudwatch:GetService",
"cloudwatch:GetServiceData",
"cloudwatch:GetTopologyDiscoveryStatus",
"cloudwatch:GetTopologyMap",
"cloudwatch:ListDashboards",
"cloudwatch:ListEntitiesForMetric",
"cloudwatch:ListManagedInsightRules",
"cloudwatch:ListMetrics",
"cloudwatch:ListMetricStreams",
"cloudwatch:ListServiceLevelObjectives",
"cloudwatch:ListServices",
"cloudwatch:ListTagsForResource",
"cloudwatch:PutDashboard",
"cloudwatch:PutMetricAlarm",
"cloudwatch:PutMetricData",
"cloudwatch:PutMetricStream",
"cloudwatch:StartMetricStreams",
"cloudwatch:StopMetricStreams",
"cloudwatch:TagResource",
"cloudwatch:UntagResource",
"iam:CreateAccessKey",
"iam:CreateRole",
"iam:DeleteAccessKey",
"iam:GetRole",
"iam:ListAccessKeys",
"iam:PassRole",
"iam:UpdateAccessKey",
"lambda:AddPermission",
"lambda:CreateAlias",
"lambda:CreateEventSourceMapping",
"lambda:CreateFunction",
"lambda:CreateFunctionUrlConfig",
"lambda:DeleteAlias",
"lambda:DeleteEventSourceMapping",
"lambda:DeleteFunction",
"lambda:DeleteFunctionEventInvokeConfig",
"lambda:DeleteFunctionUrlConfig",
"lambda:DisableReplication",
"lambda:EnableReplication",
"lambda:GetAccountSettings",
"lambda:GetAlias",
"lambda:GetEventSourceMapping",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetFunctionEventInvokeConfig",
"lambda:GetFunctionUrlConfig",
"lambda:GetPolicy",
"lambda:GetRuntimeManagementConfig",
"lambda:InvokeAsync",
"lambda:InvokeFunction",
"lambda:InvokeFunctionUrl",
"lambda:ListAliases",
"lambda:ListEventSourceMappings",
"lambda:ListFunctionEventInvokeConfigs",
"lambda:ListFunctions",
"lambda:ListFunctionUrlConfigs",
"lambda:ListTags",
"lambda:ListVersionsByFunction",
"lambda:PublishVersion",
"lambda:PutFunctionEventInvokeConfig",
"lambda:PutRuntimeManagementConfig",
"lambda:RemovePermission",
"lambda:UpdateAlias",
"lambda:UpdateEventSourceMapping",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"lambda:UpdateFunctionEventInvokeConfig"
],
"Resource": "*"
}
]
}