sigs.k8s.io/cluster-api-provider-aws@v1.5.5/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml (about) 1 AWSTemplateFormatVersion: 2010-09-09 2 Resources: 3 AWSIAMInstanceProfileControlPlane: 4 Properties: 5 InstanceProfileName: control-plane.cluster-api-provider-aws.sigs.k8s.io 6 Roles: 7 - Ref: AWSIAMRoleControlPlane 8 Type: AWS::IAM::InstanceProfile 9 AWSIAMInstanceProfileControllers: 10 Properties: 11 InstanceProfileName: controllers.cluster-api-provider-aws.sigs.k8s.io 12 Roles: 13 - Ref: AWSIAMRoleControllers 14 Type: AWS::IAM::InstanceProfile 15 AWSIAMInstanceProfileNodes: 16 Properties: 17 InstanceProfileName: nodes.cluster-api-provider-aws.sigs.k8s.io 18 Roles: 19 - Ref: AWSIAMRoleNodes 20 Type: AWS::IAM::InstanceProfile 21 AWSIAMManagedPolicyCloudProviderControlPlane: 22 Properties: 23 Description: For the Kubernetes Cloud Provider AWS Control Plane 24 ManagedPolicyName: control-plane.cluster-api-provider-aws.sigs.k8s.io 25 PolicyDocument: 26 Statement: 27 - Action: 28 - autoscaling:DescribeAutoScalingGroups 29 - autoscaling:DescribeLaunchConfigurations 30 - autoscaling:DescribeTags 31 - ec2:DescribeInstances 32 - ec2:DescribeImages 33 - ec2:DescribeRegions 34 - ec2:DescribeRouteTables 35 - ec2:DescribeSecurityGroups 36 - ec2:DescribeSubnets 37 - ec2:DescribeVolumes 38 - ec2:CreateSecurityGroup 39 - ec2:CreateTags 40 - ec2:CreateVolume 41 - ec2:ModifyInstanceAttribute 42 - ec2:ModifyVolume 43 - ec2:AttachVolume 44 - ec2:AuthorizeSecurityGroupIngress 45 - ec2:CreateRoute 46 - ec2:DeleteRoute 47 - ec2:DeleteSecurityGroup 48 - ec2:DeleteVolume 49 - ec2:DetachVolume 50 - ec2:RevokeSecurityGroupIngress 51 - ec2:DescribeVpcs 52 - elasticloadbalancing:AddTags 53 - elasticloadbalancing:AttachLoadBalancerToSubnets 54 - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer 55 - elasticloadbalancing:CreateLoadBalancer 56 - elasticloadbalancing:CreateLoadBalancerPolicy 57 - elasticloadbalancing:CreateLoadBalancerListeners 58 - elasticloadbalancing:ConfigureHealthCheck 59 - elasticloadbalancing:DeleteLoadBalancer 60 - elasticloadbalancing:DeleteLoadBalancerListeners 61 - elasticloadbalancing:DescribeLoadBalancers 62 - elasticloadbalancing:DescribeLoadBalancerAttributes 63 - elasticloadbalancing:DetachLoadBalancerFromSubnets 64 - elasticloadbalancing:DeregisterInstancesFromLoadBalancer 65 - elasticloadbalancing:ModifyLoadBalancerAttributes 66 - elasticloadbalancing:RegisterInstancesWithLoadBalancer 67 - elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer 68 - elasticloadbalancing:CreateListener 69 - elasticloadbalancing:CreateTargetGroup 70 - elasticloadbalancing:DeleteListener 71 - elasticloadbalancing:DeleteTargetGroup 72 - elasticloadbalancing:DescribeListeners 73 - elasticloadbalancing:DescribeLoadBalancerPolicies 74 - elasticloadbalancing:DescribeTargetGroups 75 - elasticloadbalancing:DescribeTargetHealth 76 - elasticloadbalancing:ModifyListener 77 - elasticloadbalancing:ModifyTargetGroup 78 - elasticloadbalancing:RegisterTargets 79 - elasticloadbalancing:SetLoadBalancerPoliciesOfListener 80 - iam:CreateServiceLinkedRole 81 - kms:DescribeKey 82 Effect: Allow 83 Resource: 84 - '*' 85 Version: 2012-10-17 86 Roles: 87 - Ref: AWSIAMRoleControlPlane 88 Type: AWS::IAM::ManagedPolicy 89 AWSIAMManagedPolicyCloudProviderNodes: 90 Properties: 91 Description: For the Kubernetes Cloud Provider AWS nodes 92 ManagedPolicyName: nodes.cluster-api-provider-aws.sigs.k8s.io 93 PolicyDocument: 94 Statement: 95 - Action: 96 - ec2:DescribeInstances 97 - ec2:DescribeRegions 98 - ecr:GetAuthorizationToken 99 - ecr:BatchCheckLayerAvailability 100 - ecr:GetDownloadUrlForLayer 101 - ecr:GetRepositoryPolicy 102 - ecr:DescribeRepositories 103 - ecr:ListImages 104 - ecr:BatchGetImage 105 Effect: Allow 106 Resource: 107 - '*' 108 - Action: 109 - secretsmanager:DeleteSecret 110 - secretsmanager:GetSecretValue 111 Effect: Allow 112 Resource: 113 - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* 114 - Action: 115 - ssm:DeleteParameter 116 - ssm:GetParameter 117 Effect: Allow 118 Resource: 119 - arn:*:ssm:*:*:parameter/cluster.x-k8s.io/* 120 - Action: 121 - ssm:UpdateInstanceInformation 122 - ssmmessages:CreateControlChannel 123 - ssmmessages:CreateDataChannel 124 - ssmmessages:OpenControlChannel 125 - ssmmessages:OpenDataChannel 126 - s3:GetEncryptionConfiguration 127 Effect: Allow 128 Resource: 129 - '*' 130 Version: 2012-10-17 131 Roles: 132 - Ref: AWSIAMRoleControlPlane 133 - Ref: AWSIAMRoleNodes 134 Type: AWS::IAM::ManagedPolicy 135 AWSIAMManagedPolicyControllers: 136 Properties: 137 Description: For the Kubernetes Cluster API Provider AWS Controllers 138 ManagedPolicyName: controllers.cluster-api-provider-aws.sigs.k8s.io 139 PolicyDocument: 140 Statement: 141 - Action: 142 - ec2:AllocateAddress 143 - ec2:AssociateRouteTable 144 - ec2:AttachInternetGateway 145 - ec2:AuthorizeSecurityGroupIngress 146 - ec2:CreateInternetGateway 147 - ec2:CreateNatGateway 148 - ec2:CreateRoute 149 - ec2:CreateRouteTable 150 - ec2:CreateSecurityGroup 151 - ec2:CreateSubnet 152 - ec2:CreateTags 153 - ec2:CreateVpc 154 - ec2:ModifyVpcAttribute 155 - ec2:DeleteInternetGateway 156 - ec2:DeleteNatGateway 157 - ec2:DeleteRouteTable 158 - ec2:ReplaceRoute 159 - ec2:DeleteSecurityGroup 160 - ec2:DeleteSubnet 161 - ec2:DeleteTags 162 - ec2:DeleteVpc 163 - ec2:DescribeAccountAttributes 164 - ec2:DescribeAddresses 165 - ec2:DescribeAvailabilityZones 166 - ec2:DescribeInstances 167 - ec2:DescribeInternetGateways 168 - ec2:DescribeImages 169 - ec2:DescribeNatGateways 170 - ec2:DescribeNetworkInterfaces 171 - ec2:DescribeNetworkInterfaceAttribute 172 - ec2:DescribeRouteTables 173 - ec2:DescribeSecurityGroups 174 - ec2:DescribeSubnets 175 - ec2:DescribeVpcs 176 - ec2:DescribeVpcAttribute 177 - ec2:DescribeVolumes 178 - ec2:DetachInternetGateway 179 - ec2:DisassociateRouteTable 180 - ec2:DisassociateAddress 181 - ec2:ModifyInstanceAttribute 182 - ec2:ModifyNetworkInterfaceAttribute 183 - ec2:ModifySubnetAttribute 184 - ec2:ReleaseAddress 185 - ec2:RevokeSecurityGroupIngress 186 - ec2:RunInstances 187 - ec2:TerminateInstances 188 - tag:GetResources 189 - elasticloadbalancing:AddTags 190 - elasticloadbalancing:CreateLoadBalancer 191 - elasticloadbalancing:ConfigureHealthCheck 192 - elasticloadbalancing:DeleteLoadBalancer 193 - elasticloadbalancing:DeleteTargetGroup 194 - elasticloadbalancing:DescribeLoadBalancers 195 - elasticloadbalancing:DescribeLoadBalancerAttributes 196 - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer 197 - elasticloadbalancing:DescribeTags 198 - elasticloadbalancing:ModifyLoadBalancerAttributes 199 - elasticloadbalancing:RegisterInstancesWithLoadBalancer 200 - elasticloadbalancing:DeregisterInstancesFromLoadBalancer 201 - elasticloadbalancing:RemoveTags 202 - autoscaling:DescribeAutoScalingGroups 203 - autoscaling:DescribeInstanceRefreshes 204 - ec2:CreateLaunchTemplate 205 - ec2:CreateLaunchTemplateVersion 206 - ec2:DescribeLaunchTemplates 207 - ec2:DescribeLaunchTemplateVersions 208 - ec2:DeleteLaunchTemplate 209 - ec2:DeleteLaunchTemplateVersions 210 - ec2:DescribeKeyPairs 211 Effect: Allow 212 Resource: 213 - '*' 214 - Action: 215 - autoscaling:CreateAutoScalingGroup 216 - autoscaling:UpdateAutoScalingGroup 217 - autoscaling:CreateOrUpdateTags 218 - autoscaling:StartInstanceRefresh 219 - autoscaling:DeleteAutoScalingGroup 220 - autoscaling:DeleteTags 221 Effect: Allow 222 Resource: 223 - arn:*:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/* 224 - Action: 225 - iam:CreateServiceLinkedRole 226 Condition: 227 StringLike: 228 iam:AWSServiceName: autoscaling.amazonaws.com 229 Effect: Allow 230 Resource: 231 - arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling 232 - Action: 233 - iam:CreateServiceLinkedRole 234 Condition: 235 StringLike: 236 iam:AWSServiceName: elasticloadbalancing.amazonaws.com 237 Effect: Allow 238 Resource: 239 - arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing 240 - Action: 241 - iam:CreateServiceLinkedRole 242 Condition: 243 StringLike: 244 iam:AWSServiceName: spot.amazonaws.com 245 Effect: Allow 246 Resource: 247 - arn:*:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot 248 - Action: 249 - iam:PassRole 250 Effect: Allow 251 Resource: 252 - arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io 253 - Action: 254 - secretsmanager:CreateSecret 255 - secretsmanager:DeleteSecret 256 - secretsmanager:TagResource 257 Effect: Allow 258 Resource: 259 - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* 260 - Action: 261 - ssm:PutParameter 262 - ssm:DeleteParameter 263 - ssm:AddTagsToResource 264 Effect: Allow 265 Resource: 266 - arn:*:ssm:*:*:parameter/cluster.x-k8s.io/* 267 Version: 2012-10-17 268 Roles: 269 - Ref: AWSIAMRoleControllers 270 - Ref: AWSIAMRoleControlPlane 271 Type: AWS::IAM::ManagedPolicy 272 AWSIAMManagedPolicyControllersEKS: 273 Properties: 274 Description: For the Kubernetes Cluster API Provider AWS Controllers 275 ManagedPolicyName: controllers-eks.cluster-api-provider-aws.sigs.k8s.io 276 PolicyDocument: 277 Statement: 278 - Action: 279 - ssm:GetParameter 280 Effect: Allow 281 Resource: 282 - arn:*:ssm:*:*:parameter/aws/service/eks/optimized-ami/* 283 - Action: 284 - iam:CreateServiceLinkedRole 285 Condition: 286 StringLike: 287 iam:AWSServiceName: eks.amazonaws.com 288 Effect: Allow 289 Resource: 290 - arn:*:iam::*:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS 291 - Action: 292 - iam:CreateServiceLinkedRole 293 Condition: 294 StringLike: 295 iam:AWSServiceName: eks-nodegroup.amazonaws.com 296 Effect: Allow 297 Resource: 298 - arn:*:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup 299 - Action: 300 - iam:CreateServiceLinkedRole 301 Condition: 302 StringLike: 303 iam:AWSServiceName: eks-fargate.amazonaws.com 304 Effect: Allow 305 Resource: 306 - arn:aws:iam::*:role/aws-service-role/eks-fargate-pods.amazonaws.com/AWSServiceRoleForAmazonEKSForFargate 307 - Action: 308 - iam:GetRole 309 - iam:ListAttachedRolePolicies 310 Effect: Allow 311 Resource: 312 - arn:*:iam::*:role/* 313 - Action: 314 - iam:GetPolicy 315 Effect: Allow 316 Resource: 317 - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy 318 - Action: 319 - eks:DescribeCluster 320 - eks:ListClusters 321 - eks:CreateCluster 322 - eks:TagResource 323 - eks:UpdateClusterVersion 324 - eks:DeleteCluster 325 - eks:UpdateClusterConfig 326 - eks:UntagResource 327 - eks:UpdateNodegroupVersion 328 - eks:DescribeNodegroup 329 - eks:DeleteNodegroup 330 - eks:UpdateNodegroupConfig 331 - eks:CreateNodegroup 332 - eks:AssociateEncryptionConfig 333 - eks:ListIdentityProviderConfigs 334 - eks:AssociateIdentityProviderConfig 335 - eks:DescribeIdentityProviderConfig 336 - eks:DisassociateIdentityProviderConfig 337 Effect: Allow 338 Resource: 339 - arn:*:eks:*:*:cluster/* 340 - arn:*:eks:*:*:nodegroup/*/*/* 341 - Action: 342 - ec2:AssociateVpcCidrBlock 343 - ec2:DisassociateVpcCidrBlock 344 - eks:ListAddons 345 - eks:CreateAddon 346 - eks:DescribeAddonVersions 347 - eks:DescribeAddon 348 - eks:DeleteAddon 349 - eks:UpdateAddon 350 - eks:TagResource 351 - eks:DescribeFargateProfile 352 - eks:CreateFargateProfile 353 - eks:DeleteFargateProfile 354 Effect: Allow 355 Resource: 356 - '*' 357 - Action: 358 - iam:PassRole 359 Condition: 360 StringEquals: 361 iam:PassedToService: eks.amazonaws.com 362 Effect: Allow 363 Resource: 364 - '*' 365 - Action: 366 - kms:CreateGrant 367 - kms:DescribeKey 368 Condition: 369 ForAnyValue:StringLike: 370 kms:ResourceAliases: alias/cluster-api-provider-aws-* 371 Effect: Allow 372 Resource: 373 - '*' 374 Version: 2012-10-17 375 Roles: 376 - Ref: AWSIAMRoleControllers 377 - Ref: AWSIAMRoleControlPlane 378 Type: AWS::IAM::ManagedPolicy 379 AWSIAMRoleControlPlane: 380 Properties: 381 AssumeRolePolicyDocument: 382 Statement: 383 - Action: 384 - sts:AssumeRole 385 Effect: Allow 386 Principal: 387 Service: 388 - ec2.amazonaws.com 389 Version: 2012-10-17 390 RoleName: control-plane.cluster-api-provider-aws.sigs.k8s.io 391 Type: AWS::IAM::Role 392 AWSIAMRoleControllers: 393 Properties: 394 AssumeRolePolicyDocument: 395 Statement: 396 - Action: 397 - sts:AssumeRole 398 Effect: Allow 399 Principal: 400 Service: 401 - ec2.amazonaws.com 402 Version: 2012-10-17 403 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io 404 Type: AWS::IAM::Role 405 AWSIAMRoleEKSControlPlane: 406 Properties: 407 AssumeRolePolicyDocument: 408 Statement: 409 - Action: 410 - sts:AssumeRole 411 Effect: Allow 412 Principal: 413 Service: 414 - eks.amazonaws.com 415 Version: 2012-10-17 416 ManagedPolicyArns: 417 - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy 418 RoleName: eks-controlplane.cluster-api-provider-aws.sigs.k8s.io 419 Type: AWS::IAM::Role 420 AWSIAMRoleNodes: 421 Properties: 422 AssumeRolePolicyDocument: 423 Statement: 424 - Action: 425 - sts:AssumeRole 426 Effect: Allow 427 Principal: 428 Service: 429 - ec2.amazonaws.com 430 Version: 2012-10-17 431 ManagedPolicyArns: 432 - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy 433 - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy 434 RoleName: nodes.cluster-api-provider-aws.sigs.k8s.io 435 Type: AWS::IAM::Role