sigs.k8s.io/cluster-api-provider-aws@v1.5.5/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml (about) 1 AWSTemplateFormatVersion: 2010-09-09 2 Resources: 3 AWSIAMGroupBootstrapper: 4 Properties: {} 5 Type: AWS::IAM::Group 6 AWSIAMInstanceProfileControlPlane: 7 Properties: 8 InstanceProfileName: control-plane.cluster-api-provider-aws.sigs.k8s.io 9 Roles: 10 - Ref: AWSIAMRoleControlPlane 11 Type: AWS::IAM::InstanceProfile 12 AWSIAMInstanceProfileControllers: 13 Properties: 14 InstanceProfileName: controllers.cluster-api-provider-aws.sigs.k8s.io 15 Roles: 16 - Ref: AWSIAMRoleControllers 17 Type: AWS::IAM::InstanceProfile 18 AWSIAMInstanceProfileNodes: 19 Properties: 20 InstanceProfileName: nodes.cluster-api-provider-aws.sigs.k8s.io 21 Roles: 22 - Ref: AWSIAMRoleNodes 23 Type: AWS::IAM::InstanceProfile 24 AWSIAMManagedPolicyCloudProviderControlPlane: 25 Properties: 26 Description: For the Kubernetes Cloud Provider AWS Control Plane 27 ManagedPolicyName: control-plane.cluster-api-provider-aws.sigs.k8s.io 28 PolicyDocument: 29 Statement: 30 - Action: 31 - autoscaling:DescribeAutoScalingGroups 32 - autoscaling:DescribeLaunchConfigurations 33 - autoscaling:DescribeTags 34 - ec2:DescribeInstances 35 - ec2:DescribeImages 36 - ec2:DescribeRegions 37 - ec2:DescribeRouteTables 38 - ec2:DescribeSecurityGroups 39 - ec2:DescribeSubnets 40 - ec2:DescribeVolumes 41 - ec2:CreateSecurityGroup 42 - ec2:CreateTags 43 - ec2:CreateVolume 44 - ec2:ModifyInstanceAttribute 45 - ec2:ModifyVolume 46 - ec2:AttachVolume 47 - ec2:AuthorizeSecurityGroupIngress 48 - ec2:CreateRoute 49 - ec2:DeleteRoute 50 - ec2:DeleteSecurityGroup 51 - ec2:DeleteVolume 52 - ec2:DetachVolume 53 - ec2:RevokeSecurityGroupIngress 54 - ec2:DescribeVpcs 55 - elasticloadbalancing:AddTags 56 - elasticloadbalancing:AttachLoadBalancerToSubnets 57 - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer 58 - elasticloadbalancing:CreateLoadBalancer 59 - elasticloadbalancing:CreateLoadBalancerPolicy 60 - elasticloadbalancing:CreateLoadBalancerListeners 61 - elasticloadbalancing:ConfigureHealthCheck 62 - elasticloadbalancing:DeleteLoadBalancer 63 - elasticloadbalancing:DeleteLoadBalancerListeners 64 - elasticloadbalancing:DescribeLoadBalancers 65 - elasticloadbalancing:DescribeLoadBalancerAttributes 66 - elasticloadbalancing:DetachLoadBalancerFromSubnets 67 - elasticloadbalancing:DeregisterInstancesFromLoadBalancer 68 - elasticloadbalancing:ModifyLoadBalancerAttributes 69 - elasticloadbalancing:RegisterInstancesWithLoadBalancer 70 - elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer 71 - elasticloadbalancing:CreateListener 72 - elasticloadbalancing:CreateTargetGroup 73 - elasticloadbalancing:DeleteListener 74 - elasticloadbalancing:DeleteTargetGroup 75 - elasticloadbalancing:DescribeListeners 76 - elasticloadbalancing:DescribeLoadBalancerPolicies 77 - elasticloadbalancing:DescribeTargetGroups 78 - elasticloadbalancing:DescribeTargetHealth 79 - elasticloadbalancing:ModifyListener 80 - elasticloadbalancing:ModifyTargetGroup 81 - elasticloadbalancing:RegisterTargets 82 - elasticloadbalancing:SetLoadBalancerPoliciesOfListener 83 - iam:CreateServiceLinkedRole 84 - kms:DescribeKey 85 Effect: Allow 86 Resource: 87 - '*' 88 Version: 2012-10-17 89 Roles: 90 - Ref: AWSIAMRoleControlPlane 91 Type: AWS::IAM::ManagedPolicy 92 AWSIAMManagedPolicyCloudProviderNodes: 93 Properties: 94 Description: For the Kubernetes Cloud Provider AWS nodes 95 ManagedPolicyName: nodes.cluster-api-provider-aws.sigs.k8s.io 96 PolicyDocument: 97 Statement: 98 - Action: 99 - ec2:DescribeInstances 100 - ec2:DescribeRegions 101 - ecr:GetAuthorizationToken 102 - ecr:BatchCheckLayerAvailability 103 - ecr:GetDownloadUrlForLayer 104 - ecr:GetRepositoryPolicy 105 - ecr:DescribeRepositories 106 - ecr:ListImages 107 - ecr:BatchGetImage 108 Effect: Allow 109 Resource: 110 - '*' 111 - Action: 112 - secretsmanager:DeleteSecret 113 - secretsmanager:GetSecretValue 114 Effect: Allow 115 Resource: 116 - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* 117 - Action: 118 - ssm:UpdateInstanceInformation 119 - ssmmessages:CreateControlChannel 120 - ssmmessages:CreateDataChannel 121 - ssmmessages:OpenControlChannel 122 - ssmmessages:OpenDataChannel 123 - s3:GetEncryptionConfiguration 124 Effect: Allow 125 Resource: 126 - '*' 127 Version: 2012-10-17 128 Roles: 129 - Ref: AWSIAMRoleControlPlane 130 - Ref: AWSIAMRoleNodes 131 Type: AWS::IAM::ManagedPolicy 132 AWSIAMManagedPolicyControllers: 133 Properties: 134 Description: For the Kubernetes Cluster API Provider AWS Controllers 135 Groups: 136 - Ref: AWSIAMGroupBootstrapper 137 ManagedPolicyName: controllers.cluster-api-provider-aws.sigs.k8s.io 138 PolicyDocument: 139 Statement: 140 - Action: 141 - ec2:AllocateAddress 142 - ec2:AssociateRouteTable 143 - ec2:AttachInternetGateway 144 - ec2:AuthorizeSecurityGroupIngress 145 - ec2:CreateInternetGateway 146 - ec2:CreateNatGateway 147 - ec2:CreateRoute 148 - ec2:CreateRouteTable 149 - ec2:CreateSecurityGroup 150 - ec2:CreateSubnet 151 - ec2:CreateTags 152 - ec2:CreateVpc 153 - ec2:ModifyVpcAttribute 154 - ec2:DeleteInternetGateway 155 - ec2:DeleteNatGateway 156 - ec2:DeleteRouteTable 157 - ec2:ReplaceRoute 158 - ec2:DeleteSecurityGroup 159 - ec2:DeleteSubnet 160 - ec2:DeleteTags 161 - ec2:DeleteVpc 162 - ec2:DescribeAccountAttributes 163 - ec2:DescribeAddresses 164 - ec2:DescribeAvailabilityZones 165 - ec2:DescribeInstances 166 - ec2:DescribeInternetGateways 167 - ec2:DescribeImages 168 - ec2:DescribeNatGateways 169 - ec2:DescribeNetworkInterfaces 170 - ec2:DescribeNetworkInterfaceAttribute 171 - ec2:DescribeRouteTables 172 - ec2:DescribeSecurityGroups 173 - ec2:DescribeSubnets 174 - ec2:DescribeVpcs 175 - ec2:DescribeVpcAttribute 176 - ec2:DescribeVolumes 177 - ec2:DetachInternetGateway 178 - ec2:DisassociateRouteTable 179 - ec2:DisassociateAddress 180 - ec2:ModifyInstanceAttribute 181 - ec2:ModifyNetworkInterfaceAttribute 182 - ec2:ModifySubnetAttribute 183 - ec2:ReleaseAddress 184 - ec2:RevokeSecurityGroupIngress 185 - ec2:RunInstances 186 - ec2:TerminateInstances 187 - tag:GetResources 188 - elasticloadbalancing:AddTags 189 - elasticloadbalancing:CreateLoadBalancer 190 - elasticloadbalancing:ConfigureHealthCheck 191 - elasticloadbalancing:DeleteLoadBalancer 192 - elasticloadbalancing:DeleteTargetGroup 193 - elasticloadbalancing:DescribeLoadBalancers 194 - elasticloadbalancing:DescribeLoadBalancerAttributes 195 - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer 196 - elasticloadbalancing:DescribeTags 197 - elasticloadbalancing:ModifyLoadBalancerAttributes 198 - elasticloadbalancing:RegisterInstancesWithLoadBalancer 199 - elasticloadbalancing:DeregisterInstancesFromLoadBalancer 200 - elasticloadbalancing:RemoveTags 201 - autoscaling:DescribeAutoScalingGroups 202 - autoscaling:DescribeInstanceRefreshes 203 - ec2:CreateLaunchTemplate 204 - ec2:CreateLaunchTemplateVersion 205 - ec2:DescribeLaunchTemplates 206 - ec2:DescribeLaunchTemplateVersions 207 - ec2:DeleteLaunchTemplate 208 - ec2:DeleteLaunchTemplateVersions 209 - ec2:DescribeKeyPairs 210 Effect: Allow 211 Resource: 212 - '*' 213 - Action: 214 - autoscaling:CreateAutoScalingGroup 215 - autoscaling:UpdateAutoScalingGroup 216 - autoscaling:CreateOrUpdateTags 217 - autoscaling:StartInstanceRefresh 218 - autoscaling:DeleteAutoScalingGroup 219 - autoscaling:DeleteTags 220 Effect: Allow 221 Resource: 222 - arn:*:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/* 223 - Action: 224 - iam:CreateServiceLinkedRole 225 Condition: 226 StringLike: 227 iam:AWSServiceName: autoscaling.amazonaws.com 228 Effect: Allow 229 Resource: 230 - arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling 231 - Action: 232 - iam:CreateServiceLinkedRole 233 Condition: 234 StringLike: 235 iam:AWSServiceName: elasticloadbalancing.amazonaws.com 236 Effect: Allow 237 Resource: 238 - arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing 239 - Action: 240 - iam:CreateServiceLinkedRole 241 Condition: 242 StringLike: 243 iam:AWSServiceName: spot.amazonaws.com 244 Effect: Allow 245 Resource: 246 - arn:*:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot 247 - Action: 248 - iam:PassRole 249 Effect: Allow 250 Resource: 251 - arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io 252 - Action: 253 - secretsmanager:CreateSecret 254 - secretsmanager:DeleteSecret 255 - secretsmanager:TagResource 256 Effect: Allow 257 Resource: 258 - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* 259 Version: 2012-10-17 260 Roles: 261 - Ref: AWSIAMRoleControllers 262 - Ref: AWSIAMRoleControlPlane 263 Type: AWS::IAM::ManagedPolicy 264 AWSIAMManagedPolicyControllersEKS: 265 Properties: 266 Description: For the Kubernetes Cluster API Provider AWS Controllers 267 Groups: 268 - Ref: AWSIAMGroupBootstrapper 269 ManagedPolicyName: controllers-eks.cluster-api-provider-aws.sigs.k8s.io 270 PolicyDocument: 271 Statement: 272 - Action: 273 - ssm:GetParameter 274 Effect: Allow 275 Resource: 276 - arn:*:ssm:*:*:parameter/aws/service/eks/optimized-ami/* 277 - Action: 278 - iam:CreateServiceLinkedRole 279 Condition: 280 StringLike: 281 iam:AWSServiceName: eks.amazonaws.com 282 Effect: Allow 283 Resource: 284 - arn:*:iam::*:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS 285 - Action: 286 - iam:CreateServiceLinkedRole 287 Condition: 288 StringLike: 289 iam:AWSServiceName: eks-nodegroup.amazonaws.com 290 Effect: Allow 291 Resource: 292 - arn:*:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup 293 - Action: 294 - iam:CreateServiceLinkedRole 295 Condition: 296 StringLike: 297 iam:AWSServiceName: eks-fargate.amazonaws.com 298 Effect: Allow 299 Resource: 300 - arn:aws:iam::*:role/aws-service-role/eks-fargate-pods.amazonaws.com/AWSServiceRoleForAmazonEKSForFargate 301 - Action: 302 - iam:GetRole 303 - iam:ListAttachedRolePolicies 304 Effect: Allow 305 Resource: 306 - arn:*:iam::*:role/* 307 - Action: 308 - iam:GetPolicy 309 Effect: Allow 310 Resource: 311 - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy 312 - Action: 313 - eks:DescribeCluster 314 - eks:ListClusters 315 - eks:CreateCluster 316 - eks:TagResource 317 - eks:UpdateClusterVersion 318 - eks:DeleteCluster 319 - eks:UpdateClusterConfig 320 - eks:UntagResource 321 - eks:UpdateNodegroupVersion 322 - eks:DescribeNodegroup 323 - eks:DeleteNodegroup 324 - eks:UpdateNodegroupConfig 325 - eks:CreateNodegroup 326 - eks:AssociateEncryptionConfig 327 - eks:ListIdentityProviderConfigs 328 - eks:AssociateIdentityProviderConfig 329 - eks:DescribeIdentityProviderConfig 330 - eks:DisassociateIdentityProviderConfig 331 Effect: Allow 332 Resource: 333 - arn:*:eks:*:*:cluster/* 334 - arn:*:eks:*:*:nodegroup/*/*/* 335 - Action: 336 - ec2:AssociateVpcCidrBlock 337 - ec2:DisassociateVpcCidrBlock 338 - eks:ListAddons 339 - eks:CreateAddon 340 - eks:DescribeAddonVersions 341 - eks:DescribeAddon 342 - eks:DeleteAddon 343 - eks:UpdateAddon 344 - eks:TagResource 345 - eks:DescribeFargateProfile 346 - eks:CreateFargateProfile 347 - eks:DeleteFargateProfile 348 Effect: Allow 349 Resource: 350 - '*' 351 - Action: 352 - iam:PassRole 353 Condition: 354 StringEquals: 355 iam:PassedToService: eks.amazonaws.com 356 Effect: Allow 357 Resource: 358 - '*' 359 - Action: 360 - kms:CreateGrant 361 - kms:DescribeKey 362 Condition: 363 ForAnyValue:StringLike: 364 kms:ResourceAliases: alias/cluster-api-provider-aws-* 365 Effect: Allow 366 Resource: 367 - '*' 368 Version: 2012-10-17 369 Roles: 370 - Ref: AWSIAMRoleControllers 371 - Ref: AWSIAMRoleControlPlane 372 Type: AWS::IAM::ManagedPolicy 373 AWSIAMRoleControlPlane: 374 Properties: 375 AssumeRolePolicyDocument: 376 Statement: 377 - Action: 378 - sts:AssumeRole 379 Effect: Allow 380 Principal: 381 Service: 382 - ec2.amazonaws.com 383 Version: 2012-10-17 384 Policies: 385 - PolicyDocument: 386 Statement: 387 - Action: 388 - test:action 389 Effect: Allow 390 Resource: 391 - '*' 392 Version: 2012-10-17 393 PolicyName: cluster-api-provider-aws-sigs-k8s-io 394 RoleName: control-plane.cluster-api-provider-aws.sigs.k8s.io 395 Type: AWS::IAM::Role 396 AWSIAMRoleControllers: 397 Properties: 398 AssumeRolePolicyDocument: 399 Statement: 400 - Action: 401 - sts:AssumeRole 402 Effect: Allow 403 Principal: 404 Service: 405 - ec2.amazonaws.com 406 Version: 2012-10-17 407 Policies: 408 - PolicyDocument: 409 Statement: 410 - Action: 411 - test:controller-action 412 Effect: Allow 413 Resource: 414 - '*' 415 Version: 2012-10-17 416 PolicyName: cluster-api-provider-aws-sigs-k8s-io 417 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io 418 Type: AWS::IAM::Role 419 AWSIAMRoleEKSControlPlane: 420 Properties: 421 AssumeRolePolicyDocument: 422 Statement: 423 - Action: 424 - sts:AssumeRole 425 Effect: Allow 426 Principal: 427 Service: 428 - eks.amazonaws.com 429 Version: 2012-10-17 430 ManagedPolicyArns: 431 - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy 432 RoleName: eks-controlplane.cluster-api-provider-aws.sigs.k8s.io 433 Type: AWS::IAM::Role 434 AWSIAMRoleNodes: 435 Properties: 436 AssumeRolePolicyDocument: 437 Statement: 438 - Action: 439 - sts:AssumeRole 440 Effect: Allow 441 Principal: 442 Service: 443 - ec2.amazonaws.com 444 Version: 2012-10-17 445 ManagedPolicyArns: 446 - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy 447 - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy 448 Policies: 449 - PolicyDocument: 450 Statement: 451 - Action: 452 - test:node-action 453 Effect: Allow 454 Resource: 455 - '*' 456 Version: 2012-10-17 457 PolicyName: cluster-api-provider-aws-sigs-k8s-io 458 RoleName: nodes.cluster-api-provider-aws.sigs.k8s.io 459 Type: AWS::IAM::Role 460 AWSIAMUserBootstrapper: 461 Properties: 462 Groups: 463 - Ref: AWSIAMGroupBootstrapper 464 Policies: 465 - PolicyDocument: 466 Statement: 467 - Action: 468 - test:user-action 469 Effect: Allow 470 Resource: 471 - '*' 472 Version: 2012-10-17 473 PolicyName: cluster-api-provider-aws-sigs-k8s-io 474 UserName: bootstrapper.cluster-api-provider-aws.sigs.k8s.io 475 Type: AWS::IAM::User