Customer-Managed VPC & IAM
Cloud Credentials¶
Use this stripped down, minimal IAM Policy if you have pre-existing AWS resources that you need to use for the Amazon EKS Cluster. This policy will serve as the cloud credential used to provision managed K8s clusters. With this policy example, the customer is expected to create and provide references to the following:
- VPCs
- Subnets
- Route Table
- Internet Gateway
- NatGateway
- IAM Roles
- IAM Service Roles
- IAM Instance Profiles
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetInstanceProfile",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:TagRole",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:PassRole",
"iam:ListRoleTags",
"iam:ListPolicyVersions",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetOpenIDConnectProvider",
"iam:ListOpenIDConnectProviderTags",
"iam:TagOpenIDConnectProvider",
"iam:CreateOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudformation:GetTemplate",
"cloudformation:ListStacks",
"cloudformation:ListStackResources",
"cloudformation:ListStackSets",
"cloudformation:ListChangeSets",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackSet",
"cloudformation:DeleteStack",
"cloudformation:DeleteChangeSet",
"cloudformation:DeleteStackSet",
"cloudformation:CreateStackSet",
"cloudformation:UpdateStackSet",
"cloudformation:CreateChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:CreateStack",
"cloudformation:UpdateStack"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eks:CreateAddon",
"eks:CreateCluster",
"eks:CreateFargateProfile",
"eks:DescribeNodegroup",
"eks:DescribeCluster",
"eks:DescribeAddon",
"eks:DescribeAddonVersions",
"eks:DescribeFargateProfile",
"eks:DescribeUpdate",
"eks:ListUpdates",
"eks:UpdateClusterVersion",
"eks:UpdateClusterConfig",
"eks:ListClusters",
"eks:ListNodegroups",
"eks:ListAddons",
"eks:ListFargateProfiles",
"eks:ListTagsForResource",
"eks:CreateNodegroup",
"eks:TagResource",
"eks:AccessKubernetesApi",
"eks:DeleteCluster",
"eks:UntagResource",
"eks:UpdateAddon",
"eks:UpdateNodegroupConfig",
"eks:UpdateNodegroupVersion",
"eks:DeleteAddon",
"eks:DeleteFargateProfile",
"eks:DeleteNodegroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScheduledActions",
"autoscaling:DescribeScalingActivities",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:SetDesiredCapacity",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:SuspendProcesses",
"autoscaling:CreateOrUpdateTags",
"autoscaling:DeleteTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteTags",
"ec2:DescribeVpcAttribute",
"ec2:AssociateRouteTable",
"ec2:DescribeInternetGateways",
"ec2:RevokeSecurityGroupEgress",
"ec2:ReleaseAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:AllocateAddress",
"ec2:AssociateRouteTable",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeVolumes",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:describeAddresses",
"ec2:DescribeVpcs",
"ec2:DescribeNatGateways",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:DescribeLaunchTemplates",
"ec2:RunInstances",
"ec2:DeleteLaunchTemplate",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeImageAttribute",
"ec2:DescribeKeyPairs",
"ec2:ImportKeyPair",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypeOfferings",
"ec2:ModifySecurityGroupRules",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:*:*:parameter/*"
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:CreateGrant"
],
"Resource": "*"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:DeleteRetentionPolicy",
"logs:PutRetentionPolicy"
],
"Resource": "*"
}
]
}
Note
For customers who will manage their own IAM Roles and Policies, (3) ARNs are required when provisioning managed K8s clusters. Click on the link below and add the policy definitions to their appropriate roles.
- Service Role ARN
- Instance Profile ARN
- Instance Role ARN