IAM Policy

The IAM Policy JSON required for auto provisioning upstream Kubernetes clusters on Amazon AWS EC2 infrastructure. The same policy applies for both IAM Role and IAM User based Cloud Credentials.

Important

As we add new functionality, we will periodically update the IAM Policy. Ensure that you are using the latest version.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AllocateAddress",
                "ec2:CreateKeyPair",
                "ec2:AllocateAddress",
                "ec2:CreateVpc",
                "ec2:ModifyVpcAttribute",
                "ec2:CreateTags",
                "ec2:CreateInternetGateway",
                "ec2:CreateSubnet",
                "ec2:CreateSecurityGroup",
                "ec2:CreateRouteTable",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:ModifySubnetAttribute",
                "ec2:AttachInternetGateway",
                "ec2:CreateNatGateway",
                "ec2:AssociateRouteTable",
                "ec2:CreateRoute",
                "ec2:RunInstances",
                "ec2:AssociateAddress",
                "ec2:DeleteKeyPair",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DeleteRoute",
                "ec2:DisassociateRouteTable",
                "ec2:DisassociateAddress",
                "ec2:DeleteRouteTable",
                "ec2:DetachInternetGateway",
                "ec2:DeleteNatGateway",
                "ec2:DeleteSubnet",
                "ec2:TerminateInstances",
                "ec2:ReleaseAddress",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteVpc",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeImages",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeInstances",
                "ec2:DescribeHosts",
                "ec2:DescribeVolumes",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribePlacementGroups",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeSnapshots",
                "ec2:DescribeIdFormat",
                "ec2:DescribeAddresses",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeVpcs",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeRouteTables",
                "ec2:DescribeNatGateways"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:PutRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:DeleteRolePolicy",
                "iam:DeleteRole",
                "iam:GetRolePolicy",
                "iam:ListPolicies",
                "iam:PassRole",
                "iam:CreateServiceLinkedRole",
                "iam:ListAttachedRolePolicies"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:DeleteStack",
                "cloudformation:SignalResource",
                "cloudformation:CreateStack",
                "cloudformation:UpdateStack",
                "cloudformation:ListStackResources",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackResource"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:DeleteLaunchConfiguration",
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:DescribeScalingActivities",
                "autoscaling:SetDesiredCapacity",
                "autoscaling:TerminateInstanceInAutoScalingGroup"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}