IAM Permissions

Minimal IAM Policy¶

Use this IAM Policy if you have pre-existing AWS resources that you need to use for the Amazon EKS Cluster. With this policy example, the customer is expected to create and provide references to the following:

VPCs
Subnets
Route Table
Internet Gateway
NAT Gateway

If you are using your own security group, you can remove the following IAM policies from the list below:

ec2:CreateSecurityGroup
ec2:DeleteSecurityGroup

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EC2Permissions",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DescribeInstances",
                "ec2:ModifyLaunchTemplate",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:DescribeVolumes",
                "ec2:DescribeKeyPairs",
                "ec2:ImportKeyPair",
                "ec2:CreateTags",
                "ec2:RunInstances",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeSubnets",
                "ec2:DeleteNetworkAclEntry",
                "ec2:DescribeAddressesAttribute",
                "ec2:DescribeInstanceTypeOfferings",
                "ec2:DescribeAvailabilityZones",
                "ec2:ReleaseAddress",
                "ec2:DeleteLaunchTemplate",
                "ec2:DescribeSecurityGroups",
                "ec2:CreateLaunchTemplate",
                "ec2:DescribeVpcs",
                "ec2:AssociateVpcCidrBlock",
                "ec2:AssociateRouteTable",
                "ec2:DescribeInternetGateways",
                "ec2:CreateCarrierGateway",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeRouteTables",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeSecurityGroupRules",
                "ec2:GetConsoleOutput",
                "ec2:CreateSecurityGroup",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeCarrierGateways",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:DescribeTags",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:AllocateAddress",
                "ec2:CreateLaunchTemplateVersion",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteTags",
                "ec2:DeleteCarrierGateway"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMPermissions",
            "Effect": "Allow",
            "Action": [
                "iam:ListRoleTags",
                "iam:TagInstanceProfile",
                "iam:TagPolicy",
                "iam:PutRolePolicy",
                "iam:AddRoleToInstanceProfile",
                "iam:ListRolePolicies",
                "iam:DeleteOpenIDConnectProvider",
                "iam:GetRole",
                "iam:GetPolicy",
                "iam:DeleteRole",
                "iam:CreateInstanceProfile",
                "iam:TagRole",
                "iam:ListInstanceProfilesForRole",
                "iam:PassRole",
                "iam:DeleteRolePolicy",
                "iam:GetRolePolicy",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:DeleteInstanceProfile",
                "iam:GetInstanceProfile",
                "iam:ListInstanceProfiles",
                "iam:CreateOpenIDConnectProvider",
                "iam:DeleteServiceLinkedRole",
                "iam:CreateServiceLinkedRole",
                "iam:GetOpenIDConnectProvider",
                "iam:ListOpenIDConnectProviderTags",
                "iam:TagOpenIDConnectProvider",
                "iam:GetPolicyVersion",
                "iam:ListPolicyVersions"
            ],
            "Resource": "*"
        },
        {
            "Sid": "EKSPermissions",
            "Effect": "Allow",
            "Action": [
                "eks:DescribeAddon",
                "eks:ListPodIdentityAssociations",
                "eks:UpdateNodegroupConfig",
                "eks:ListClusters",
                "eks:ListAccessPolicies",
                "eks:ListAccessEntries",
                "eks:ListAddons",
                "eks:AssociateEncryptionConfig",
                "eks:CreateCluster",
                "eks:UntagResource",
                "eks:AssociateAccessPolicy",
                "eks:UpdateAccessEntry",
                "eks:DescribeNodegroup",
                "eks:UpdateClusterConfig",
                "eks:UpdatePodIdentityAssociation",
                "eks:DescribePodIdentityAssociation",
                "eks:DeleteCluster",
                "eks:DeleteNodegroup",
                "eks:AccessKubernetesApi",
                "eks:CreateAddon",
                "eks:DescribeCluster",
                "eks:CreateNodegroup",
                "eks:ListNodegroups",
                "eks:DescribeAddonVersions",
                "eks:DeletePodIdentityAssociation",
                "eks:DescribeClusterVersions",
                "eks:DeleteAddon",
                "eks:UpdateAddon",
                "eks:DescribeUpdate",
                "eks:DisassociateAccessPolicy",
                "eks:UpdateClusterVersion",
                "eks:CreatePodIdentityAssociation",
                "eks:ListInsights",
                "eks:UpdateNodegroupVersion",
                "eks:ListAssociatedAccessPolicies",
                "eks:ListUpdates",
                "eks:TagResource",
                "eks:DeleteAccessEntry",
                "eks:CreateAccessEntry",
                "eks:DescribeAccessEntry",
                "eks:UpdateAccessEntry",
                "eks:DeleteAccessEntry",
                "eks:DisassociateAccessPolicy"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AutoScalingPermissions",
            "Effect": "Allow",
            "Action": [
                "autoscaling:TerminateInstanceInAutoScalingGroup",
                "autoscaling:DeleteTags",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:DescribeScalingActivities",
                "autoscaling:DescribeScheduledActions",
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:SetDesiredCapacity",
                "autoscaling:SuspendProcesses",
                "autoscaling:CreateOrUpdateTags",
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DeleteLaunchConfiguration"
            ],
            "Resource": "*"
        }
    ]
}

Full IAM Policy¶

Use this IAM Policy if you do not have pre-existing AWS resources and would like the Controller to dynamically create and configure these in your AWS account for the Amazon EKS Cluster. This includes automatically for example :

VPCs
Subnets
Route Tables
Internet Gateway
NAT Gateway
Security Groups
CloudWatch Logging
KMS Key

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EC2Permissions",
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteInternetGateway",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DescribeInstances",
                "ec2:ModifyLaunchTemplate",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:CreateRoute",
                "ec2:CreateInternetGateway",
                "ec2:DescribeVolumes",
                "ec2:AttachInternetGateway",
                "ec2:DeleteRouteTable",
                "ec2:ImportKeyPair",
                "ec2:CreateTags",
                "ec2:RunInstances",
                "ec2:DisassociateRouteTable",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DeleteNatGateway",
                "ec2:CreateSubnet",
                "ec2:DescribeSubnets",
                "ec2:DeleteNetworkAclEntry",
                "ec2:CreateNatGateway",
                "ec2:DescribeAddressesAttribute",
                "ec2:DescribeVpcAttribute",
                "ec2:ModifySubnetAttribute",
                "ec2:DescribeInstanceTypeOfferings",
                "ec2:DescribeAvailabilityZones",
                "ec2:ReleaseAddress",
                "ec2:DeleteLaunchTemplate",
                "ec2:DescribeSecurityGroups",
                "ec2:CreateLaunchTemplate",
                "ec2:DescribeVpcs",
                "ec2:AssociateVpcCidrBlock",
                "ec2:AssociateRouteTable",
                "ec2:DescribeInternetGateways",
                "ec2:CreateCarrierGateway",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeRouteTables",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeSecurityGroupRules",
                "ec2:GetConsoleOutput",
                "ec2:CreateSecurityGroup",
                "ec2:DescribeCarrierGateways",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:DescribeTags",
                "ec2:DeleteRoute",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:AllocateAddress",
                "ec2:CreateLaunchTemplateVersion",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteTags",
                "ec2:DeleteCarrierGateway",
                "ec2:DeleteSubnet",
                "ec2:DeleteVpc",
                "ec2:DetachInternetGateway"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMPermissions",
            "Effect": "Allow",
            "Action": [
                "iam:ListRoleTags",
                "iam:TagInstanceProfile",
                "iam:TagPolicy",
                "iam:PutRolePolicy",
                "iam:AddRoleToInstanceProfile",
                "iam:ListRolePolicies",
                "iam:DeleteOpenIDConnectProvider",
                "iam:GetRole",
                "iam:GetPolicy",
                "iam:DeleteRole",
                "iam:CreateInstanceProfile",
                "iam:TagRole",
                "iam:ListInstanceProfilesForRole",
                "iam:PassRole",
                "iam:DeleteRolePolicy",
                "iam:GetRolePolicy",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:DeleteInstanceProfile",
                "iam:GetInstanceProfile",
                "iam:ListInstanceProfiles",
                "iam:CreateOpenIDConnectProvider",
                "iam:DeleteServiceLinkedRole",
                "iam:CreateServiceLinkedRole",
                "iam:GetOpenIDConnectProvider",
                "iam:ListOpenIDConnectProviderTags",
                "iam:TagOpenIDConnectProvider",
                "iam:GetPolicyVersion",
                "iam:ListPolicyVersions"
            ],
            "Resource": "*"
        },
        {
            "Sid": "EKSPermissions",
            "Effect": "Allow",
            "Action": [
                "eks:DeleteFargateProfile",
                "eks:DescribeFargateProfile",
                "eks:ListPodIdentityAssociations",
                "eks:UpdateNodegroupConfig",
                "eks:ListClusters",
                "eks:ListAccessPolicies",
                "eks:ListAccessEntries",
                "eks:ListAddons",
                "eks:AssociateEncryptionConfig",
                "eks:CreateCluster",
                "eks:UntagResource",
                "eks:AssociateAccessPolicy",
                "eks:UpdateAccessEntry",
                "eks:DescribeNodegroup",
                "eks:UpdateClusterConfig",
                "eks:UpdatePodIdentityAssociation",
                "eks:DescribePodIdentityAssociation",
                "eks:DeleteCluster",
                "eks:DeleteNodegroup",
                "eks:AccessKubernetesApi",
                "eks:CreateAddon",
                "eks:UpdateAddon",
                "eks:DescribeCluster",
                "eks:CreateNodegroup",
                "eks:ListNodegroups",
                "eks:DescribeAddonVersions",
                "eks:DeletePodIdentityAssociation",
                "eks:DescribeClusterVersions",
                "eks:DeleteAddon",
                "eks:DescribeUpdate",
                "eks:DisassociateAccessPolicy",
                "eks:UpdateClusterVersion",
                "eks:CreatePodIdentityAssociation",
                "eks:ListInsights",
                "eks:UpdateNodegroupVersion",
                "eks:ListAssociatedAccessPolicies",
                "eks:ListUpdates",
                "eks:TagResource",
                "eks:DeleteAccessEntry",
                "eks:CreateAccessEntry",
                "eks:DescribeAccessEntry"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AutoScalingPermissions",
            "Effect": "Allow",
            "Action": [
                "autoscaling:TerminateInstanceInAutoScalingGroup",
                "autoscaling:DeleteTags",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:DescribeScalingActivities",
                "autoscaling:DescribeScheduledActions",
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:SetDesiredCapacity",
                "autoscaling:SuspendProcesses",
                "autoscaling:CreateOrUpdateTags",
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DeleteLaunchConfiguration"
            ],
            "Resource": "*"
        },
        {
            "Sid": "LogsPermissions",
            "Effect": "Allow",
            "Action": [
                "logs:ListTagsForResource",
                "logs:TagResource",
                "logs:CreateLogGroup",
                "logs:DescribeLogGroups",
                "logs:DeleteRetentionPolicy",
                "logs:PutRetentionPolicy"
            ],
            "Resource": "*"
        },
        {
            "Sid": "KMSPermissions",
            "Effect": "Allow",
            "Action": [
                "kms:ListAliases",
                "kms:DeleteAlias",
                "kms:CreateKey",
                "kms:CreateGrant",
                "kms:CreateAlias",
                "kms:TagResource",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}