Required permissions for the formae agent

[ddddddO]

Hi!👋
I'm trying out forame, and starting with a least-privilege account, I finally succeeded in creating the S3 bucket in the tutorial!
However, the formae agent is logging an error, probably because it's trying to discover resources but doesn't have the necessary permissions. So I thought it might be more user-friendly if the formae agent documented the minimum permissions it requires!

...
2025-11-30T10:33:01+09:00 ERR PluginOperator: failed to list resources of type AWS::RDS::DBInstance in target my-default-aws-target with list paramete
rs map[]: operation error CloudControl: ListResources, https response error StatusCode: 400, RequestID:... because no identity-based policy allows the cloudformation:ListResources action [pid= ...

[browdues]

Hi @ddddddO! 👋

Great suggestion, thank you for taking the time to report this! We've created an issue (#101) to enhance our documentation with IAM permission requirements.

Quick answer for now:

The AWS plugin uses the Cloud Control API for resource operations. While Cloud Control is a separate API from CloudFormation, AWS placed its IAM permissions in the cloudformation: namespace (e.g. cloudformation:ListResources)

For the full list of required permissions and example IAM policies, see the AWS Cloud Control API Security documentation.

Workaround for now:

If you don't need automatic discovery for the time being, you can disable it by creating a config file at ~/.config/formae/formae.conf.pkl:

amends "formae:/Config.pkl"

agent {
    discovery {
        enabled = false
    }
}

[ddddddO]

@browdues
I see! Thanks for letting me know!