Content Comparison

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"autoscaling:CompleteLifecycleAction",
				"ec2autoscaling:DescribeAddressesCreateAutoScalingGroup",
				"ec2autoscaling:DescribeDhcpOptionsDeleteAutoScalingGroup",
				"ec2autoscaling:DescribeSnapshotsEnableMetricsCollection",
				"ec2autoscaling:DescribeVolumesPutNotificationConfiguration",
				"ec2autoscaling:DescribeVolumeStatusUpdateAutoScalingGroup"
			],
				"Resource"ec2:DescribeVolumesModifications" "*"
		},
		{
			"cloudwatch:DescribeAlarmsEffect": "Allow",
				"Action"cloudwatch:ListMetrics", [
				"iamec2:ListUsersAllocateAddress",
				"iamec2:ListAccessKeysAssignPrivateIpAddresses",
				"iamec2:CreateAccessKeyAssociateRouteTable",
				"ec2:AuthorizeSecurityGroupEgressAttachInternetGateway",
				"iamec2:ListPolicyVersionsAttachNetworkInterface",
				"eksec2:ListClustersAuthorizeSecurityGroupEgress",
				"eksec2:DescribeClusterAuthorizeSecurityGroupIngress",
				"eksec2:ListNodegroupsCreateFleet",
				"eksec2:DescribeNodegroupCreateInternetGateway",
				"eksec2:DescribeAddonCreateLaunchTemplate",
				"eksec2:ListAddonsCreateLaunchTemplateVersion",
				"eksec2:DescribeIdentityProviderConfigCreateNatGateway",
			]	"ec2:CreateNetworkAclEntry",
				"Resource": "*"
		}ec2:CreateNetworkInterface",
		{
			"Effect": "Allowec2:CreateNetworkInterfacePermission",
				"Actionec2:CreateRoute":,
[
				"s3ec2:PutObjectCreateRouteTable",
				"s3ec2:GetObjectCreateSecurityGroup",
				]"ec2:CreateSubnet",
				"Resource": "arn:aws:s3:::cf-template*"
		},
		{
ec2:CreateTags",
				"Sid"ec2: CreateVpc"Statement1",
				"Effect": "Allowec2:DeleteInternetGateway",
				"Action"ec2:DeleteLaunchTemplate",
[
				"eksec2:CreateClusterDeleteNatGateway",
				"eksec2:DescribeClusterDeleteNetworkAclEntry",
				"eksec2:DeleteClusterDeleteNetworkInterface",
				"eksec2:ListClustersDeleteRoute",
				"eksec2:UpdateClusterConfigDeleteRouteTable",
				"eksec2:UpdateClusterVersionDeleteSecurityGroup",
				"eksec2:CreateNodegroupDeleteSubnet",
				"eksec2:DescribeNodegroupDeleteTags",
				"eksec2:ListNodegroupsDeleteVpc",
				"eksec2:UpdateNodegroupConfigDescribeAddresses",
				"eksec2:UpdateNodegroupVersionDescribeAddressesAttribute",
				"eksec2:DescribeAddonVersionsDescribeAvailabilityZones",
				"eksec2:CreateAddonDescribeDhcpOptions",
				"eksec2:DeleteAddonDescribeImages",
				"eksec2:DescribeAddonDescribeInstanceAttribute",
				"eksec2:ListAddonsDescribeInstances",
				"eksec2:UpdateAddonDescribeInstanceTypes",
				"eksec2:AccessKubernetesApiDescribeInternetGateways",
				"eksec2:ListAccessPoliciesDescribeLaunchTemplates",
				"eksec2:ListAccessEntriesDescribeLaunchTemplateVersions",
				"eksec2:ListIdentityProviderConfigsDescribeNatGateways",
				"eksec2:DescribeAccessEntryDescribeNetworkAcls",
				"eksec2:ListPodIdentityAssociationsDescribeNetworkInterfaces",
				"eksec2:ListAssociatedAccessPoliciesDescribeRouteTables",
				"eksec2:CreateAccessEntryDescribeSecurityGroupRules",
				"eksec2:AssociateAccessPolicyDescribeSecurityGroups",
			],
			"Resource"ec2: "*"
		}DescribeSnapshots",
		{
			"Effect": "Allowec2:DescribeSubnets",
				"Action": [ec2:DescribeTags",
				"iamec2:DeleteRolePolicyDescribeVolumes",
				"iamec2:DeleteRoleDescribeVpcAttribute",
				"iamec2:GetRoleDescribeVpcs",
				"iamec2:ListPoliciesDetachInternetGateway",
				"iamec2:ListAttachedRolePoliciesDetachNetworkInterface",
				"iamec2:CreateServiceLinkedRoleDisassociateAddress",
				"iamec2:RemoveRoleFromInstanceProfileDisassociateRouteTable",
				"iamec2:DeleteInstanceProfileModifyInstanceAttribute",
				"iamec2:ListEntitiesForPolicyModifyLaunchTemplate",
				"iamec2:GetInstanceProfileModifyNetworkInterfaceAttribute",
				"iamec2:ListInstanceProfilesModifySubnetAttribute",
				"iamec2:ListInstanceProfilesForRoleModifyVpcAttribute",
				"iamec2:ListOpenIDConnectProvidersReleaseAddress",
				"iamec2:GetOpenIDConnectProviderRevokeSecurityGroupEgress",
				"iamec2:GetRolePolicyRevokeSecurityGroupIngress",
				"ec2:RevokeSecurityGroupIngressRunInstances",
				"ec2:DeleteSecurityGroupTerminateInstances",
				"ec2:StopInstances"],
				"Resource"ec2:TerminateInstances" "*"
		},
		{
			"Effect"ec2:DescribeVpcAttribute "Allow",
				"Action"ec2:DescribeTags", [
				"ec2eks:DescribeNetworkInterfacesAssociateAccessPolicy",
				"cloudformationeks:DeleteStackCreateAccessEntry",
				"ec2eks:RevokeSecurityGroupEgressCreateAddon",
				"iameks:ListRolePoliciesCreateCluster",
				"iameks:CreatePolicyCreateNodegroup",
				"iameks:GetPolicyDeleteAccessEntry",
				"ec2eks:DescribeInstanceAttributeDeleteAddon",
				"iameks:GetPolicyVersionDeleteCluster",
			],
			"Resource"eks: "*"
		}DeleteNodegroup",
		{
			"Sid": "AdditionalPermissionseks:DescribeAccessEntry",
				"Effect": "Alloweks:DescribeAddon",
				"Action": [eks:DescribeAddonVersions",
				"iameks:DetachRolePolicyDescribeCluster",
				"ec2eks:CreateVpcDescribeNodegroup",
				"ec2eks:DeleteVpcDisassociateAccessPolicy",
				"ec2eks:CreateSubnetListAssociatedAccessPolicies",
				"ec2eks:DeleteSubnetListNodegroups",
				"ec2eks:CreateRouteTableTagResource",
				"ec2:CreateRoute"],
				"Resource"ec2:AssociateRouteTable "*",
		},
		"ec2:ReplaceRouteTableAssociation",{
				"Effect"ec2:DeleteRouteTable "Allow",
				"Action"ec2:CreateInternetGateway", [
				"ec2events:AttachInternetGatewayPutRule",
				"ec2events:AllocateAddressPutTargets",
				"ec2:ReleaseAddress"],
				"Resource"ec2:CreateNatGateway" "*"
		},
		{
			"Effect"ec2:DeleteNatGateway "Allow",
				"Action"cloudformation:UpdateStack", [
				"cloudformationiam:DeleteChangeSetAddRoleToInstanceProfile",
				"cloudformationiam:DescribeChangeSetAttachRolePolicy",
				"cloudformationiam:ExecuteChangeSetCreateInstanceProfile",
				"cloudtrailiam:DescribeTrailsCreateOpenIDConnectProvider",
				"cloudtrailiam:GetTrailStatusCreatePolicy",
				"cloudtrailiam:GetEventSelectorsCreateRole",
				"logsiam:DescribeLogGroupsDeleteInstanceProfile",
				"logsiam:DescribeLogStreamsDeleteOpenIDConnectProvider",
				"logsiam:GetLogEventsDeletePolicy",
				"logsiam:FilterLogEventsDeleteRole",
				"iam:GetUserPolicyDeleteRolePolicy",
				"iam:GetGroupPolicyDetachRolePolicy",
				"iam:GetPolicyVersionGetInstanceProfile",
				"ec2iam:CreateLaunchTemplateGetOpenIDConnectProvider",
				"ec2iam:DescribeLaunchTemplatesGetPolicy",
				"ec2iam:DescribeInternetGatewaysGetPolicyVersion",
				"ec2iam:ModifyVpcAttributeGetRole",
				"ec2iam:ModifySubnetAttributeGetRolePolicy",
				"ec2iam:DescribeNatGatewaysListAttachedRolePolicies",
				"ec2iam:DescribeInstanceTypeOfferingsListInstanceProfilesForRole",
				"ec2iam:DescribeEgressOnlyInternetGatewaysListPolicyVersions",
				"ec2iam:DescribeLaunchTemplateVersionsListRolePolicies",
				"ec2iam:DeleteLaunchTemplatePutRolePolicy",
				"eksiam:TagResourceRemoveRoleFromInstanceProfile",
				"elasticloadbalancingiam:CreateLoadBalancerTagInstanceProfile",
				"elasticloadbalancingiam:DescribeLoadBalancersTagOpenIDConnectProvider",
				"elasticloadbalancingiam:DeleteLoadBalancerTagRole",
				"elasticloadbalancing:CreateTargetGroup"],
				"Resource"elasticloadbalancing:DescribeTargetGroups "*",
		},
		"elasticloadbalancing:RegisterTargets",{
				"Effect"autoscaling:CreateAutoScalingGroup "Allow",
				"Action"autoscaling:UpdateAutoScalingGroup", [
				"autoscalingiam:DeleteAutoScalingGroupPassRole",
				"autoscaling:DescribeAutoScalingGroups"],
				"Resource"autoscaling:DescribeScalingActivities", [
				"cloudformation:DescribeChangeSet"arn:aws:iam::<account-id>:role/<cluster-name>*",
				"cloudformation:ExecuteChangeSet",
				"s3:CreateBucket"arn:aws:iam::<account-id>:role/terraform-*"
			]
		},
		{
			"Effect"s3:DeleteBucket "Allow",
				"Action"s3:ListBucket", [
				"s3kms:GetBucketLocationCreateAlias",
				"s3kms:GetBucketPolicyCreateGrant",
				"s3:PutBucketPolicy"
kms:CreateKey",
				"kms:DeleteAlias",
				]"kms:EnableKeyRotation",
				"Resource": "*"
		}
	]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "aws-marketplace:ListEntities"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
                "ec2:ModifyInstanceAttribute",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeImages",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RunInstances",
                "ec2:TerminateInstances"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
                "eks:DescribeCluster",
                "eks:DescribeNodegroup",
                "eks:ListNodegroups"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListRolePolicies",
                "iam:PutRolePolicy",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:TagInstanceProfile",
                "iam:TagRole"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:PassRole"
			],
			"Resource": [
				"arn:aws:iam::<account-id>:role/<cluster-name>*",
				"arn:aws:iam::<account-id>:role/terraform-*"
			]
		}
    ]
}

aws ec2 create-key-pair --key-name 'my-dev-key' --query 'KeyMaterial' --output text --region us-east-2 > my-dev-key.pem

chmod 400 my-dev-key.pem

For macOS users, please grant x-install permissions by clicking the “Allow Anyway” button in the Security settings. This button is available for about an hour after you try to open the app. You can access the Security settings by choosing Apple Menu > System Settings, then clicking Privacy & Security in the sidebar.

kubectl get node -l eks.amazonaws.com/nodegroup=x-compute

NAME                                          STATUS   ROLES    AGE     VERSION
ip-10-0-39-220.us-west-1.x-compute.internal   Ready    <none>   4m17s   v1.29.3-eks-ae9a62a