Required permissions for the formae agent #101
Description
What problem does this solve?
Users attempting to follow the principle of least privilege have should understand what permissions the formae agent requires for:
- Resource discovery (listing resources across AWS services)
- Cloud Control CRUD operations
Proposed solution
Add an "IAM Permissions" section to the AWS targets documentation and update the plugin error to link to this documentation.
Discussed in #99
Originally posted by ddddddO November 29, 2025
Hi!👋
I'm trying out forame, and starting with a least-privilege account, I finally succeeded in creating the S3 bucket in the tutorial!
However, the formae agent is logging an error, probably because it's trying to discover resources but doesn't have the necessary permissions. So I thought it might be more user-friendly if the formae agent documented the minimum permissions it requires!
...
2025-11-30T10:33:01+09:00 ERR PluginOperator: failed to list resources of type AWS::RDS::DBInstance in target my-default-aws-target with list paramete
rs map[]: operation error CloudControl: ListResources, https response error StatusCode: 400, RequestID:... because no identity-based policy allows the cloudformation:ListResources action [pid= ...
```</div>