Skip to content

Commit 06739ab

Browse files
kishorjkishorj
authored
provide scoped down IAM permissions example (#2283)
* provide reference to scope down IAM permissions * scope down iam:CreateServiceLinkedRole permission
1 parent 5fe3904 commit 06739ab

File tree

4 files changed

+61
-3
lines changed

4 files changed

+61
-3
lines changed

docs/deploy/installation.md

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,37 @@ If you are using the IMDSv2 you must set the hop limit to 2 or higher in order t
3434
The controller runs on the worker nodes, so it needs access to the AWS ALB/NLB resources via IAM permissions.
3535
The IAM permissions can either be setup via IAM roles for ServiceAccount or can be attached directly to the worker node IAM roles.
3636

37+
!!!warning "Permissions with the least privileges"
38+
The reference IAM policies contain the following permissive configuration:
39+
```
40+
{
41+
"Effect": "Allow",
42+
"Action": [
43+
"ec2:AuthorizeSecurityGroupIngress",
44+
"ec2:RevokeSecurityGroupIngress"
45+
],
46+
"Resource": "*"
47+
},
48+
```
49+
We recommend to further scope down this configuration based on the VPC ID. Replace REGION, ACCOUNT and VPC-ID with appropriate values
50+
and add it to the above IAM permissions.
51+
```
52+
"Condition": {
53+
"ArnEquals": {
54+
"ec2:Vpc": "arn:aws:ec2:REGION:ACCOUNT:vpc/VPC-ID"
55+
}
56+
}
57+
```
58+
OR restrict access to security groups tagged for the particular k8s cluster. Replace CLUSTER-ID with your k8s cluster id and add it to
59+
the above IAM permissions.
60+
```
61+
"Condition": {
62+
"Null": {
63+
"aws:ResourceTag/kubernetes.io/cluster/CLUSTER-ID": "false"
64+
}
65+
}
66+
```
67+
3768
1. Create IAM OIDC provider
3869
```
3970
eksctl utils associate-iam-oidc-provider \

docs/install/iam_policy.json

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,19 @@
11
{
22
"Version": "2012-10-17",
33
"Statement": [
4+
{
5+
"Effect": "Allow",
6+
"Action": "iam:CreateServiceLinkedRole",
7+
"Resource": "*",
8+
"Condition": {
9+
"StringEquals": {
10+
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
11+
}
12+
}
13+
},
414
{
515
"Effect": "Allow",
616
"Action": [
7-
"iam:CreateServiceLinkedRole",
817
"ec2:DescribeAccountAttributes",
918
"ec2:DescribeAddresses",
1019
"ec2:DescribeAvailabilityZones",

docs/install/iam_policy_cn.json

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,19 @@
11
{
22
"Version": "2012-10-17",
33
"Statement": [
4+
{
5+
"Effect": "Allow",
6+
"Action": "iam:CreateServiceLinkedRole",
7+
"Resource": "*",
8+
"Condition": {
9+
"StringEquals": {
10+
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
11+
}
12+
}
13+
},
414
{
515
"Effect": "Allow",
616
"Action": [
7-
"iam:CreateServiceLinkedRole",
817
"ec2:DescribeAccountAttributes",
918
"ec2:DescribeAddresses",
1019
"ec2:DescribeAvailabilityZones",

docs/install/iam_policy_us-gov.json

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,19 @@
11
{
22
"Version": "2012-10-17",
33
"Statement": [
4+
{
5+
"Effect": "Allow",
6+
"Action": "iam:CreateServiceLinkedRole",
7+
"Resource": "*",
8+
"Condition": {
9+
"StringEquals": {
10+
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
11+
}
12+
}
13+
},
414
{
515
"Effect": "Allow",
616
"Action": [
7-
"iam:CreateServiceLinkedRole",
817
"ec2:DescribeAccountAttributes",
918
"ec2:DescribeAddresses",
1019
"ec2:DescribeAvailabilityZones",

0 commit comments

Comments
 (0)