Versions Compared

Version Old Version 58 New Version Current
Changes made by

Yajing Wang

Bhargav Ravuri

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

IAM Permissions
Expand
titleIAM Permissions for the AWS Account - Standalone Flow

When working with standalone flow i.e., deploying everything from scratch using the create-standalone command, use the following IAM policy.

Please add your AWS account ID and cluster name to the policy below.

Code Block
languagejson
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"autoscalingiam:CompleteLifecycleActionPassRole",
				"autoscaling:CreateAutoScalingGroup"],
				"Resource"autoscaling:DeleteAutoScalingGroup", [
				"autoscaling:EnableMetricsCollectionarn:aws:iam::<account-id>:role/<cluster-name>*",
				"autoscaling:PutNotificationConfiguration",
				"autoscaling:UpdateAutoScalingGrouparn:aws:iam::<account-id>:role/terraform-*"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"ec2autoscaling:AllocateAddressCompleteLifecycleAction",
				"ec2autoscaling:AssignPrivateIpAddressesCreateAutoScalingGroup",
				"ec2autoscaling:AssociateRouteTableDeleteAutoScalingGroup",
				"ec2autoscaling:AttachInternetGatewayEnableMetricsCollection",
				"ec2autoscaling:AttachNetworkInterfacePutNotificationConfiguration",
				"ec2autoscaling:AuthorizeSecurityGroupEgressUpdateAutoScalingGroup"
			],
				"Resource"ec2:AuthorizeSecurityGroupIngress" "*"
		},
		{
			"Effect"ec2:CreateFleet "Allow",
				"Action"ec2:CreateInternetGateway", [
				"ec2:CreateLaunchTemplateAllocateAddress",
				"ec2:CreateLaunchTemplateVersionAssignPrivateIpAddresses",
				"ec2:CreateNatGatewayAssociateRouteTable",
				"ec2:CreateNetworkAclEntryAttachInternetGateway",
				"ec2:CreateNetworkInterfaceAttachNetworkInterface",
				"ec2:CreateNetworkInterfacePermissionAuthorizeSecurityGroupEgress",
				"ec2:CreateRouteAuthorizeSecurityGroupIngress",
				"ec2:CreateRouteTableCreateFleet",
				"ec2:CreateSecurityGroupCreateInternetGateway",
				"ec2:CreateSubnetCreateLaunchTemplate",
				"ec2:CreateTagsCreateLaunchTemplateVersion",
				"ec2:CreateVpcCreateNatGateway",
				"ec2:DeleteInternetGatewayCreateNetworkAclEntry",
				"ec2:DeleteLaunchTemplateCreateNetworkInterface",
				"ec2:DeleteNatGatewayCreateNetworkInterfacePermission",
				"ec2:DeleteNetworkAclEntryCreateRoute",
				"ec2:DeleteNetworkInterfaceCreateRouteTable",
				"ec2:DeleteRouteCreateSecurityGroup",
				"ec2:DeleteRouteTableCreateSubnet",
				"ec2:DeleteSecurityGroupCreateTags",
				"ec2:DeleteSubnetCreateVpc",
				"ec2:DeleteTagsDeleteInternetGateway",
				"ec2:DeleteVpcDeleteLaunchTemplate",
				"ec2:DescribeAddressesDeleteNatGateway",
				"ec2:DescribeAddressesAttributeDeleteNetworkAclEntry",
				"ec2:DescribeAvailabilityZonesDeleteNetworkInterface",
				"ec2:DescribeDhcpOptionsDeleteRoute",
				"ec2:DescribeImagesDeleteRouteTable",
				"ec2:DescribeInstanceAttributeDeleteSecurityGroup",
				"ec2:DescribeInstancesDeleteSubnet",
				"ec2:DescribeInstanceTypesDeleteTags",
				"ec2:DescribeInternetGatewaysDeleteVpc",
				"ec2:DescribeLaunchTemplatesDescribeAddresses",
				"ec2:DescribeLaunchTemplateVersionsDescribeAddressesAttribute",
				"ec2:DescribeNatGatewaysDescribeAvailabilityZones",
				"ec2:DescribeNetworkAclsDescribeDhcpOptions",
				"ec2:DescribeNetworkInterfacesDescribeImages",
				"ec2:DescribeRouteTablesDescribeInstanceAttribute",
				"ec2:DescribeSecurityGroupRulesDescribeInstances",
				"ec2:DescribeSecurityGroupsDescribeInstanceTypes",
				"ec2:DescribeSnapshotsDescribeInternetGateways",
				"ec2:DescribeSubnetsDescribeKeyPairs",
				"ec2:DescribeTagsDescribeLaunchTemplates",
				"ec2:DescribeVolumesDescribeLaunchTemplateVersions",
				"ec2:DescribeVpcAttributeDescribeNatGateways",
				"ec2:DescribeVpcsDescribeNetworkAcls",
				"ec2:DetachInternetGatewayDescribeNetworkInterfaces",
				"ec2:DetachNetworkInterfaceDescribeRouteTables",
				"ec2:DisassociateAddressDescribeSecurityGroupRules",
				"ec2:DisassociateRouteTableDescribeSecurityGroups",
				"ec2:ModifyInstanceAttributeDescribeSnapshots",
				"ec2:ModifyLaunchTemplateDescribeSubnets",
				"ec2:ModifyNetworkInterfaceAttributeDescribeTags",
				"ec2:ModifySubnetAttributeDescribeVolumes",
				"ec2:ModifyVpcAttributeDescribeVpcAttribute",
				"ec2:ReleaseAddressDescribeVpcs",
				"ec2:RevokeSecurityGroupEgressDetachInternetGateway",
				"ec2:RevokeSecurityGroupIngressDetachNetworkInterface",
				"ec2:RunInstancesDisassociateAddress",
				"ec2:TerminateInstancesDisassociateRouteTable",
			],
			"Resource"ec2: "*"
		}ModifyInstanceAttribute",
		{
			"Effect": "Allowec2:ModifyLaunchTemplate",
				"Actionec2:ModifyNetworkInterfaceAttribute":,
[
				"eksec2:AssociateAccessPolicyModifySubnetAttribute",
				"eksec2:CreateAccessEntryModifyVpcAttribute",
				"eksec2:CreateAddonReleaseAddress",
				"eksec2:CreateClusterRevokeSecurityGroupEgress",
				"eksec2:CreateNodegroupRevokeSecurityGroupIngress",
				"eksec2:DeleteAccessEntryRunInstances",
				"eksec2:DeleteAddonTerminateInstances"
			],
				"Resource"eks:DeleteCluster" "*"
		},
		{
			"eks:DeleteNodegroup",
Effect": "Allow",
			"Action": [
				"eks:DescribeAccessEntryAssociateAccessPolicy",
				"eks:DescribeAddonCreateAccessEntry",
				"eks:DescribeAddonVersionsCreateAddon",
				"eks:DescribeClusterCreateCluster",
				"eks:DescribeNodegroupCreateNodegroup",
				"eks:DisassociateAccessPolicyDeleteAccessEntry",
				"eks:ListAssociatedAccessPoliciesDeleteAddon",
				"eks:ListNodegroupsDeleteCluster",
				"eks:TagResourceDeleteNodegroup",
			]	"eks:DescribeAccessEntry",
				"Resource"eks:DescribeAddon",
"*"				"eks:DescribeAddonVersions",
		}		"eks:DescribeCluster",
		{		"eks:DescribeNodegroup",
				"Effect"eks: DisassociateAccessPolicy"Allow",
				"Action": [eks:ListAssociatedAccessPolicies",
				"eventseks:PutRuleListNodegroups",
				"eventseks:PutTargetsTagResource"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"iamevents:AddRoleToInstanceProfilePutRule",
				"iamevents:AttachRolePolicyPutTargets",
				"iam:CreateInstanceProfile"],
				"Resource"iam:CreateOpenIDConnectProvider "*",
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:AddRoleToInstanceProfile",
				"iam:AttachRolePolicy",
				"iam:CreateInstanceProfile",
				"iam:CreateOpenIDConnectProvider",
				"iam:CreatePolicy",
				"iam:CreateRole",
				"iam:DeleteInstanceProfile",
				"iam:DeleteOpenIDConnectProvider",
				"iam:DeletePolicy",
				"iam:DeleteRole",
				"iam:DeleteRolePolicy",
				"iam:DetachRolePolicy",
				"iam:GetInstanceProfile",
				"iam:GetOpenIDConnectProvider",
				"iam:GetPolicy",
				"iam:GetPolicyVersion",
				"iam:GetRole",
				"iam:GetRolePolicy",
				"iam:ListAttachedRolePolicies",
				"iam:ListInstanceProfilesForRole",
				"iam:ListPolicyVersions",
				"iam:ListRolePolicies",
				"iam:PutRolePolicy",
				"iam:RemoveRoleFromInstanceProfile",
				"iam:TagInstanceProfile",
				"iam:TagOpenIDConnectProvider",
				"iam:TagRole"TagPolicy",
				"iam:TagRole"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"iamkms:PassRoleCreateAlias",
			]	"kms:CreateGrant",
				"Resourcekms:CreateKey":,
[
				"arn:aws:iam::<account-id>:role/<cluster-name>*kms:DeleteAlias",
				"arn:aws:iam::<account-id>:role/terraform-*"kms:DescribeKey",
			]
		}	"kms:EnableKeyRotation",
		{
			"Effect": "Allow",
			"Action": [
				"kms:CreateAlias		"kms:GetKeyPolicy",
				"kms:CreateGrantGetKeyRotationStatus",
				"kms:CreateKeyListAliases",
				"kms:DeleteAliasListResourceTags",
				"kms:EnableKeyRotation",
				"kms:ListAliasesPutKeyPolicy",
				"kms:RetireGrant",
				"kms:ScheduleKeyDeletion",
				"kms:TagResource"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"logs:CreateLogGroup",
				"logs:CreateLogStream",
				"logs:DeleteLogGroup",
				"logs:DescribeLogGroups",
				"logs:ListTagsForResource",
				"logs:PutRetentionPolicy",
				"logs:TagResource"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"aws-marketplace:ListEntities"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"ssms3:RegisterManagedInstanceGetObject",
				"ssms3:UpdateInstanceInformationListBucket"
			],
			"Resource": "*"
		},
	]
}
Expand
title
	{
			"Effect": "Allow",
			"Action": [
				"ssm:RegisterManagedInstance",
				"ssm:UpdateInstanceInformation"
			],
			"Resource": "*"
		}
	]
}
Expand
titleIAM Permissions for the AWS Account - Using an Existing Cluster

When working with existing EKS clusters, use the following IAM policy.

Please add your AWS account ID and cluster name to the policy below.

Code Block
languagejson
{
    	"Version": "2012-10-17",
    	"Statement": [
        {
            		{
			"Effect": "Allow",
            			"Action": [
                "aws-marketplace:ListEntities				"iam:PassRole"
			],
			"Resource": "*"[
		},
		{
			""arn:aws:iam::<account-id>:role/<cluster-name>*",
				"arn:aws:iam::<account-id>:role/terraform-*"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"aws-marketplace:ListEntities"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
      				"ec2:AuthorizeSecurityGroupEgress",
				"ec2:ModifyInstanceAttributeAuthorizeSecurityGroupIngress",
                				"ec2:AuthorizeSecurityGroupEgressCreateSecurityGroup",
                				"ec2:CreateTags",
				"ec2:AuthorizeSecurityGroupIngressDeleteSecurityGroup",
                				"ec2:CreateSecurityGroupDescribeDhcpOptions",
                				"ec2:CreateTagsDescribeImages",
                				"ec2:DescribeInstanceAttribute",
				"ec2:DeleteSecurityGroupDescribeInstances",
                				"ec2:DescribeDhcpOptionsDescribeInstanceTypes",
                				"ec2:DescribeImagesDescribeInternetGateways",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RunInstances",
                "ec2:TerminateInstances"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
                "eks:DescribeCluster",
                "eks:DescribeNodegroup",
                "eks:ListNodegroups"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListRolePolicies",
                "iam:PutRolePolicy",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:TagInstanceProfile",
                				"ec2:DescribeNatGateways",
				"ec2:DescribeNetworkInterfaces",
				"ec2:DescribeRouteTables",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeSnapshots",
				"ec2:DescribeSubnets",
				"ec2:DescribeTags",
				"ec2:DescribeVolumes",
				"ec2:DescribeVpcAttribute",
				"ec2:DescribeVpcs",
				"ec2:ModifyInstanceAttribute",
				"ec2:RevokeSecurityGroupEgress",
				"ec2:RunInstances",
				"ec2:TerminateInstances"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"eks:DescribeCluster",
				"eks:DescribeNodegroup",
				"eks:ListNodegroups"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:AddRoleToInstanceProfile",
				"iam:AttachRolePolicy",
				"iam:CreateInstanceProfile",
				"iam:CreateRole",
				"iam:DeleteInstanceProfile",
				"iam:DeleteRole",
				"iam:DeleteRolePolicy",
				"iam:DetachRolePolicy",
				"iam:GetInstanceProfile",
				"iam:GetPolicy",
				"iam:GetPolicyVersion",
				"iam:GetRole",
				"iam:GetRolePolicy",
				"iam:ListAttachedRolePolicies",
				"iam:ListInstanceProfilesForRole",
				"iam:ListRolePolicies",
				"iam:PutRolePolicy",
				"iam:RemoveRoleFromInstanceProfile",
				"iam:TagInstanceProfile",
				"iam:TagRole"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:PassRole"
			],
			"Resource": [
				"arn:aws:iam::<account-id>:role/<cluster-name>*"s3:GetObject",
				"arn:aws:iam::<account-id>:role/terraform-*	"s3:ListBucket"
			],
		}
    	"Resource": "*"
		}
	]
}

...

  • x-install tool: Version 0.0.1517+

Expand
titlex-install Download Options

Platform

Architecture

File

Release Date

macOS

ARM64

View file
namex-install-darwin-arm64-.0.0.1517.tar.gz

14 Jan

macOS

x86_64

View file
namex-install-darwin-x86_64-.0.0.1517.tar.gz

14 Jan

Linux

ARM64

View file
namex-install-linux-arm64-.0.0.1517.tar.gz

14 Jan

Linux

i386

View file
namex-install-linux-i386-.0.0.1517.tar.gz

14 Jan

Linux

x86_64

View file
namex-install-linux-x86_64-.0.0.1517.tar.gz

14 Jan

Windows

ARM64

View file
namex-install-windows-arm64-.0.0.1517.zip

14 Jan

Windows

i386

View file
namex-install-windows-i386-.0.0.1517.zip

14 Jan

Windows

x86_64

View file
namex-install-windows-x86_64-.0.0.1517.zip

14 Jan

Info

For macOS users, please grant x-install permissions by clicking the “Allow Anyway” button in the Security settings. This button is available for about an hour after you try to open the app. You can access the Security settings by choosing Apple Menu System Settings, then clicking Privacy & Security in the sidebar.

...