Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Current »

If you are using the example templates to spin up the infrastructure, the user who performs the installation must granted with minimum permission in order to be able to provision AWS resources using templates.

You do not need to setup the following if the user that performs the installation has the AdministratorAccess policy.

For best practice it is preferably to set up a minimum IAM policy for the user to perform the installation.

For IAM user creation, please refer to AWS documentation for guidance https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html.

The following table contains the policies required by the application.

Application

IAM Policies

eksctl

Refer to https://eksctl.io/usage/minimum-iam-policies/

helm

AmazonEC2ContainerRegistryReadOnly

Terraform

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"sts:GetCallerIdentity",
				"ec2:DescribeVpcAttribute",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeInternetGateways",
				"ec2:DescribeAvailabilityZones",
				"ec2:DescribeVpcs",
				"ec2:DescribeAccountAttributes",
				"ec2:DescribeSubnets",
				"rds:AddTagsToResource",
				"rds:ListTagsForResource",
				"rds:CreateDBInstance",
				"rds:CreateDBSubnetGroup",
				"rds:DeleteDBSubnetGroup",
				"rds:DeleteDBInstance",
				"rds:ModifyDBInstance",
				"ec2:Describe*",
				"rds:Describe*",
				"rds:CreateDBParameterGroup",
				"rds:ModifyDBParameterGroup",
				"rds:DeleteDBParameterGroup",
				"rds:CreateOptionGroup",
				"rds:ModifyOptionGroup",
				"rds:DeleteOptionGroup"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"route53:GetHostedZone",
				"route53:CreateHostedZone",
				"route53:ListHostedZones",
				"route53:ChangeTagsForResource",
				"route53:ChangeResourceRecordSets",
				"route53:ListResourceRecordSets",
				"route53:GetChange",
				"route53:ListTagsForResource",
				"route53:GetDNSSEC",
				"route53:DeleteHostedZone"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"acm:*"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"kms:*"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"elasticfilesystem:Describe*",
				"elasticfilesystem:DeleteAccessPoint",
				"elasticfilesystem:CreateMountTarget",
				"elasticfilesystem:CreateFileSystem",
				"elasticfilesystem:ListTagsForResource",
				"elasticfilesystem:DeleteMountTarget",
				"elasticfilesystem:CreateAccessPoint",
				"elasticfilesystem:DeleteFileSystem",
				"elasticfilesystem:TagResource",
				"elasticfilesystem:UpdateFileSystem"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"ssm:Describe*",
				"ssm:GetParameter*",
				"ssm:ListTagsForResource",
				"ssm:PutParameter",
				"ssm:DeleteParameter*",
				"ssm:AddTagsToResource"
			],
			"Resource": "*"
		},
		{
			"Action": "iam:CreateServiceLinkedRole",
			"Effect": "Allow",
			"Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
			"Condition": {
				"StringLike": {
					"iam:AWSServiceName": "rds.amazonaws.com"
				}
			}
		}
	]
}

  • No labels

0 Comments

You are not logged in. Any changes you make will be marked as anonymous. You may want to Log In if you already have an account.