IAM Policy setting (suggestion: improve permission error reporting)

[teebu]

If this is already somewhere please point it out.

I started with this policy from travis, but node-lambda required a lot more permissions then this:
https://docs.travis-ci.com/user/deployment/lambda/

I was getting this error ResourceConflictException: Function already exist, incorrectly.

Eventually I figured out the error reporting for permissions is very bad in node-lambda. It assumes any permission error is just a non existent function. https://github.com/motdotla/node-lambda/blob/master/lib/main.js#L889

This is the latest version of my IAM policy to get a deploy without errors:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListExistingRolesAndPolicies",
            "Effect": "Allow",
            "Action": [
                "iam:ListRolePolicies",
                "iam:ListRoles"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CreateAndListFunctions",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "lambda:ListFunctions",
                "lambda:ListEventSourceMappings"                
            ],
            "Resource": "*"
        },
        {
            "Sid": "DeployCode",
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunction",
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration"
            ],
            "Resource": [
                "arn:aws:lambda:us-east-1:12345:function:abc",
                "arn:aws:lambda:us-east-1:12345:function:abcdef",
                "arn:aws:lambda:us-east-1:12345:function:whatever" 
            ]
        },
        {
            "Sid": "SetRole",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::12345:role/exec_role"
        },
        {
            "Sid": "S3Uploads",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::mybucket/test/lambdas/*"
        },
        {
            "Sid": "LogsPermission",
            "Effect": "Allow",
            "Action": [
              "logs:CreateLogGroup",
              "logs:PutRetentionPolicy"
            ],
            "Resource": "*"
        }
    ]
}

From travis's doc: It does not appear to be possible to wildcard the DeployCode statement

[teebu]

Looks like there is more permissions to be had now when deploying to s3.

"s3:PutObject",
"s3:GetObject",
"s3:CreateBucket",
"s3:ListBucket" 

[maxgalbu]

I think this should be on the readme... @motdotla what do you think?