Versions Compared

Old Version 7

changes.mady.by.user Yajing Wang

Saved on

compared with

New Version 8

changes.mady.by.user Yajing Wang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleIAM Permissions for the AWS Account
Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "eks:*",
            "Resource": "*"
        },
        {
            "Action": [
                "ssm:GetParameter",
                "ssm:GetParameters"
            ],
            "Resource": [
                "arn:aws:ssm:*:<account_id>:parameter/aws/*",
                "arn:aws:ssm:*::parameter/aws/*"
            ],
            "Effect": "Allow"
        },
        {
             "Action": [
               "kms:CreateGrant",
               "kms:DescribeKey"
             ],
             "Resource": "*",
             "Effect": "Allow"
        },
        {
             "Action": [
               "logs:PutRetentionPolicy"
             ],
             "Resource": "*",
             "Effect": "Allow"
        }
    ]
}
Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:GetInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:GetRole",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:AddRoleToInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "iam:PassRole",
                "iam:DetachRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:GetRolePolicy",
                "iam:GetOpenIDConnectProvider",
                "iam:CreateOpenIDConnectProvider",
                "iam:DeleteOpenIDConnectProvider",
                "iam:TagOpenIDConnectProvider",
                "iam:ListAttachedRolePolicies",
                "iam:TagRole",
                "iam:UntagRole",
                "iam:GetPolicy",
                "iam:CreatePolicy",
                "iam:DeletePolicy",
                "iam:ListPolicyVersions"
            ],
            "Resource": [
                "arn:aws:iam::<account_id>:instance-profile/eksctl-*",
                "arn:aws:iam::<account_id>:role/eksctl-*",
                "arn:aws:iam::<account_id>:policy/eksctl-*",
                "arn:aws:iam::<account_id>:oidc-provider/*",
                "arn:aws:iam::<account_id>:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup",
                "arn:aws:iam::<account_id>:role/eksctl-managed-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:GetUser"
            ],
            "Resource": [
                "arn:aws:iam::<account_id>:role/*",
                "arn:aws:iam::<account_id>:user/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "eks.amazonaws.com",
                        "eks-nodegroup.amazonaws.com",
                        "eks-fargate.amazonaws.com"
                    ]
                }
            }
        }
    ]
}
Code Block
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"cloudtrail:LookupEvents",
				"cloudformation:ListStacks",
				"cloudformation:DescribeStackEvents",
				"cloudformation:DescribeStacks",
				"cloudformation:ListStackResources",
				"cloudformation:CreateStack",
				"cloudformation:GetTemplateSummary",
				"cloudformation:CreateUploadBucket",	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"ssm:ListAssociations",
				"ec2:RunInstances",
				"ec2:DescribeSubnets",
				"ec2:DescribeKeyPairs",
				"ec2:DescribeVpcs",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeSecurityGroupRules",
				"ec2:AuthorizeSecurityGroupIngress",
				"ec2:CreateTags",
				"ec2:CreateSecurityGroup",
				"sns:ListTopics",
				"s3:CreateBucket",
				"iam:AttachRolePolicy",
				"iam:CreateRole",
				"iam:ListRoles",
				"iam:TagRole",
				"iam:PutRolePolicy",
				"iam:CreateInstanceProfile",
				"iam:AddRoleToInstanceProfile",
				"iam:PassRole",
				"ec2:DescribeInstances",
				"ec2:DescribeInstanceTypes",
				"ec2:RunInstances",
				"ec2:DescribeImages",
				"ec2:DescribeImageAttribute",
				"ec2:DescribeAvailabilityZones",
				"ec2:DescribeAccountAttributes",
				"ec2:DescribeRouteTables",
				"ec2:DescribeNetworkAcls",
				"ec2:DescribeInstanceStatus",
				"ec2:DescribeAddresses",
				"ec2:DescribeDhcpOptions",
				"ec2:DescribeSnapshots",
				"ec2:DescribeVolumes",
				"ec2:DescribeVolumeStatus",
				"ec2:DescribeVolumesModifications",
				"cloudwatch:DescribeAlarms",
				"cloudwatch:ListMetrics",
				"iam:ListUsers",
				"iam:ListAccessKeys",
				"iam:CreateAccessKey",
				"ec2:AuthorizeSecurityGroupEgress",
				"iam:ListPolicyVersions",
				"eks:ListClusters",
				"eks:DescribeCluster",
				"eks:ListNodegroups",
				"eks:DescribeNodegroup",
				"eks:DescribeAddon",
				"eks:ListAddons",
				"eks:DescribeIdentityProviderConfig"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"s3:PutObject",
				"s3:GetObject"
			],
			"Resource": "arn:aws:s3:::cf-template*"
		},
		{
			"Sid": "Statement1",
			"Effect": "Allow",
			"Action": [
				"eks:CreateCluster",
				"eks:DescribeCluster",
				"eks:DeleteCluster",
				"eks:ListClusters",
				"eks:UpdateClusterConfig",
				"eks:UpdateClusterVersion",
				"eks:CreateNodegroup",
				"eks:DescribeNodegroup",
				"eks:ListNodegroups",
				"eks:UpdateNodegroupConfig",
				"eks:UpdateNodegroupVersion",
				"eks:DescribeAddonVersions",
				"eks:CreateAddon",
				"eks:DeleteAddon",
				"eks:DescribeAddon",
				"eks:ListAddons",
				"eks:UpdateAddon",
				"eks:AccessKubernetesApi",
				"eks:ListAccessPolicies",
				"eks:ListAccessEntries",
				"eks:ListIdentityProviderConfigs",
				"eks:DescribeAccessEntry",
				"eks:ListPodIdentityAssociations",
				"eks:ListAssociatedAccessPolicies",
				"eks:CreateAccessEntry",
				"eks:AssociateAccessPolicy"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:DeleteRolePolicy",
				"iam:DeleteRole",
				"iam:GetRole",
				"iam:ListPolicies",
				"iam:ListAttachedRolePolicies",
				"iam:CreateServiceLinkedRole",
				"iam:RemoveRoleFromInstanceProfile",
				"iam:DeleteInstanceProfile",
				"iam:ListEntitiesForPolicy",
				"iam:GetInstanceProfile",
				"iam:ListInstanceProfiles",
				"iam:ListInstanceProfilesForRole",
				"iam:ListOpenIDConnectProviders",
				"iam:GetOpenIDConnectProvider",
				"iam:GetRolePolicy",
				"ec2:RevokeSecurityGroupIngress",
				"ec2:DeleteSecurityGroup",
				"ec2:StopInstances",
				"ec2:TerminateInstances",
				"ec2:DescribeVpcAttribute",
				"ec2:DescribeTags",
				"ec2:DescribeNetworkInterfaces",
				"cloudformation:DeleteStack",
				"ec2:RevokeSecurityGroupEgress",
				"iam:ListRolePolicies",
				"iam:CreatePolicy",
				"iam:GetPolicy",
				"ec2:DescribeInstanceAttribute",
				"iam:GetPolicyVersion"
			],
			"Resource": "*"
		},
		{
			"Sid": "AdditionalPermissions",
			"Effect": "Allow",
			"Action": [
				"iam:DetachRolePolicy",
				"ec2:CreateVpc",
				"ec2:DeleteVpc",
				"ec2:CreateSubnet",
				"ec2:DeleteSubnet",
				"ec2:CreateRouteTable",
				"ec2:CreateRoute",
				"ec2:AssociateRouteTable",
				"ec2:ReplaceRouteTableAssociation",
				"ec2:DeleteRouteTable",
				"ec2:CreateInternetGateway",
				"ec2:AttachInternetGateway",
				"ec2:AllocateAddress",
				"ec2:ReleaseAddress",
				"ec2:CreateNatGateway",
				"ec2:DeleteNatGateway",
				"cloudformation:UpdateStack",
				"cloudformation:DeleteChangeSet",
				"cloudformation:DescribeChangeSet",
				"cloudformation:ExecuteChangeSet",
				"cloudtrail:DescribeTrails",
				"cloudtrail:GetTrailStatus",
				"cloudtrail:GetEventSelectors",
				"logs:DescribeLogGroups",
				"logs:DescribeLogStreams",
				"logs:GetLogEvents",
				"logs:FilterLogEvents",
				"iam:GetUserPolicy",
				"iam:GetGroupPolicy",
				"iam:GetPolicyVersion",
				"ec2:CreateLaunchTemplate",
				"ec2:DescribeLaunchTemplates",
				"ec2:DescribeInternetGateways",
				"ec2:ModifyVpcAttribute",
				"ec2:ModifySubnetAttribute",
				"ec2:DescribeNatGateways",
				"ec2:DescribeInstanceTypeOfferings",
				"ec2:DescribeEgressOnlyInternetGateways",
				"ec2:DescribeLaunchTemplateVersions",
				"ec2:DeleteLaunchTemplate",
				"eks:TagResource",
				"elasticloadbalancing:CreateLoadBalancer",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:DeleteLoadBalancer",
				"elasticloadbalancing:CreateTargetGroup",
				"elasticloadbalancing:DescribeTargetGroups",
				"elasticloadbalancing:RegisterTargets",
				"autoscaling:CreateAutoScalingGroup",
				"autoscaling:UpdateAutoScalingGroup",
				"autoscaling:DeleteAutoScalingGroup",
				"autoscaling:DescribeAutoScalingGroups",
				"autoscaling:DescribeScalingActivities",
				"cloudformation:DescribeChangeSet",
				"cloudformation:ExecuteChangeSet",
				"s3:CreateBucket",
				"s3:DeleteBucket",
				"s3:ListBucket",
				"s3:GetBucketLocation",
				"s3:GetBucketPolicy",
				"s3:PutBucketPolicy"
			],
			"Resource": "*"
		}
	]
}

...

Code Block
$ kubectl get node -l eks.amazonaws.com/nodegroup=x-compute

The output should display the new nodes as ready:

Code Block
NAME                                          STATUS   ROLES    AGE     VERSION
ip-10-0-39-220.us-west-1.x-compute.internal   Ready    <none>   4m17s   v1.29.3-eks-ae9a62a

...