sigs.k8s.io/cluster-api-provider-aws@v1.5.5/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml (about) 1 AWSTemplateFormatVersion: 2010-09-09 2 Resources: 3 AWSIAMInstanceProfileControlPlane: 4 Properties: 5 InstanceProfileName: control-plane.cluster-api-provider-aws.sigs.k8s.io 6 Roles: 7 - Ref: AWSIAMRoleControlPlane 8 Type: AWS::IAM::InstanceProfile 9 AWSIAMInstanceProfileControllers: 10 Properties: 11 InstanceProfileName: controllers.cluster-api-provider-aws.sigs.k8s.io 12 Roles: 13 - Ref: AWSIAMRoleControllers 14 Type: AWS::IAM::InstanceProfile 15 AWSIAMInstanceProfileNodes: 16 Properties: 17 InstanceProfileName: nodes.cluster-api-provider-aws.sigs.k8s.io 18 Roles: 19 - Ref: AWSIAMRoleNodes 20 Type: AWS::IAM::InstanceProfile 21 AWSIAMManagedPolicyCloudProviderControlPlane: 22 Properties: 23 Description: For the Kubernetes Cloud Provider AWS Control Plane 24 ManagedPolicyName: control-plane.cluster-api-provider-aws.sigs.k8s.io 25 PolicyDocument: 26 Statement: 27 - Action: 28 - autoscaling:DescribeAutoScalingGroups 29 - autoscaling:DescribeLaunchConfigurations 30 - autoscaling:DescribeTags 31 - ec2:DescribeInstances 32 - ec2:DescribeImages 33 - ec2:DescribeRegions 34 - ec2:DescribeRouteTables 35 - ec2:DescribeSecurityGroups 36 - ec2:DescribeSubnets 37 - ec2:DescribeVolumes 38 - ec2:CreateSecurityGroup 39 - ec2:CreateTags 40 - ec2:CreateVolume 41 - ec2:ModifyInstanceAttribute 42 - ec2:ModifyVolume 43 - ec2:AttachVolume 44 - ec2:AuthorizeSecurityGroupIngress 45 - ec2:CreateRoute 46 - ec2:DeleteRoute 47 - ec2:DeleteSecurityGroup 48 - ec2:DeleteVolume 49 - ec2:DetachVolume 50 - ec2:RevokeSecurityGroupIngress 51 - ec2:DescribeVpcs 52 - elasticloadbalancing:AddTags 53 - elasticloadbalancing:AttachLoadBalancerToSubnets 54 - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer 55 - elasticloadbalancing:CreateLoadBalancer 56 - elasticloadbalancing:CreateLoadBalancerPolicy 57 - elasticloadbalancing:CreateLoadBalancerListeners 58 - elasticloadbalancing:ConfigureHealthCheck 59 - elasticloadbalancing:DeleteLoadBalancer 60 - elasticloadbalancing:DeleteLoadBalancerListeners 61 - elasticloadbalancing:DescribeLoadBalancers 62 - elasticloadbalancing:DescribeLoadBalancerAttributes 63 - elasticloadbalancing:DetachLoadBalancerFromSubnets 64 - elasticloadbalancing:DeregisterInstancesFromLoadBalancer 65 - elasticloadbalancing:ModifyLoadBalancerAttributes 66 - elasticloadbalancing:RegisterInstancesWithLoadBalancer 67 - elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer 68 - elasticloadbalancing:CreateListener 69 - elasticloadbalancing:CreateTargetGroup 70 - elasticloadbalancing:DeleteListener 71 - elasticloadbalancing:DeleteTargetGroup 72 - elasticloadbalancing:DescribeListeners 73 - elasticloadbalancing:DescribeLoadBalancerPolicies 74 - elasticloadbalancing:DescribeTargetGroups 75 - elasticloadbalancing:DescribeTargetHealth 76 - elasticloadbalancing:ModifyListener 77 - elasticloadbalancing:ModifyTargetGroup 78 - elasticloadbalancing:RegisterTargets 79 - elasticloadbalancing:SetLoadBalancerPoliciesOfListener 80 - iam:CreateServiceLinkedRole 81 - kms:DescribeKey 82 Effect: Allow 83 Resource: 84 - '*' 85 Version: 2012-10-17 86 Roles: 87 - Ref: AWSIAMRoleControlPlane 88 Type: AWS::IAM::ManagedPolicy 89 AWSIAMManagedPolicyCloudProviderNodes: 90 Properties: 91 Description: For the Kubernetes Cloud Provider AWS nodes 92 ManagedPolicyName: nodes.cluster-api-provider-aws.sigs.k8s.io 93 PolicyDocument: 94 Statement: 95 - Action: 96 - ec2:DescribeInstances 97 - ec2:DescribeRegions 98 - ecr:GetAuthorizationToken 99 - ecr:BatchCheckLayerAvailability 100 - ecr:GetDownloadUrlForLayer 101 - ecr:GetRepositoryPolicy 102 - ecr:DescribeRepositories 103 - ecr:ListImages 104 - ecr:BatchGetImage 105 Effect: Allow 106 Resource: 107 - '*' 108 - Action: 109 - secretsmanager:DeleteSecret 110 - secretsmanager:GetSecretValue 111 Effect: Allow 112 Resource: 113 - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* 114 - Action: 115 - ssm:UpdateInstanceInformation 116 - ssmmessages:CreateControlChannel 117 - ssmmessages:CreateDataChannel 118 - ssmmessages:OpenControlChannel 119 - ssmmessages:OpenDataChannel 120 - s3:GetEncryptionConfiguration 121 Effect: Allow 122 Resource: 123 - '*' 124 Version: 2012-10-17 125 Roles: 126 - Ref: AWSIAMRoleControlPlane 127 - Ref: AWSIAMRoleNodes 128 Type: AWS::IAM::ManagedPolicy 129 AWSIAMManagedPolicyControllers: 130 Properties: 131 Description: For the Kubernetes Cluster API Provider AWS Controllers 132 ManagedPolicyName: controllers.cluster-api-provider-aws.sigs.k8s.io 133 PolicyDocument: 134 Statement: 135 - Action: 136 - ec2:AllocateAddress 137 - ec2:AssociateRouteTable 138 - ec2:AttachInternetGateway 139 - ec2:AuthorizeSecurityGroupIngress 140 - ec2:CreateInternetGateway 141 - ec2:CreateNatGateway 142 - ec2:CreateRoute 143 - ec2:CreateRouteTable 144 - ec2:CreateSecurityGroup 145 - ec2:CreateSubnet 146 - ec2:CreateTags 147 - ec2:CreateVpc 148 - ec2:ModifyVpcAttribute 149 - ec2:DeleteInternetGateway 150 - ec2:DeleteNatGateway 151 - ec2:DeleteRouteTable 152 - ec2:ReplaceRoute 153 - ec2:DeleteSecurityGroup 154 - ec2:DeleteSubnet 155 - ec2:DeleteTags 156 - ec2:DeleteVpc 157 - ec2:DescribeAccountAttributes 158 - ec2:DescribeAddresses 159 - ec2:DescribeAvailabilityZones 160 - ec2:DescribeInstances 161 - ec2:DescribeInternetGateways 162 - ec2:DescribeImages 163 - ec2:DescribeNatGateways 164 - ec2:DescribeNetworkInterfaces 165 - ec2:DescribeNetworkInterfaceAttribute 166 - ec2:DescribeRouteTables 167 - ec2:DescribeSecurityGroups 168 - ec2:DescribeSubnets 169 - ec2:DescribeVpcs 170 - ec2:DescribeVpcAttribute 171 - ec2:DescribeVolumes 172 - ec2:DetachInternetGateway 173 - ec2:DisassociateRouteTable 174 - ec2:DisassociateAddress 175 - ec2:ModifyInstanceAttribute 176 - ec2:ModifyNetworkInterfaceAttribute 177 - ec2:ModifySubnetAttribute 178 - ec2:ReleaseAddress 179 - ec2:RevokeSecurityGroupIngress 180 - ec2:RunInstances 181 - ec2:TerminateInstances 182 - tag:GetResources 183 - elasticloadbalancing:AddTags 184 - elasticloadbalancing:CreateLoadBalancer 185 - elasticloadbalancing:ConfigureHealthCheck 186 - elasticloadbalancing:DeleteLoadBalancer 187 - elasticloadbalancing:DeleteTargetGroup 188 - elasticloadbalancing:DescribeLoadBalancers 189 - elasticloadbalancing:DescribeLoadBalancerAttributes 190 - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer 191 - elasticloadbalancing:DescribeTags 192 - elasticloadbalancing:ModifyLoadBalancerAttributes 193 - elasticloadbalancing:RegisterInstancesWithLoadBalancer 194 - elasticloadbalancing:DeregisterInstancesFromLoadBalancer 195 - elasticloadbalancing:RemoveTags 196 - autoscaling:DescribeAutoScalingGroups 197 - autoscaling:DescribeInstanceRefreshes 198 - ec2:CreateLaunchTemplate 199 - ec2:CreateLaunchTemplateVersion 200 - ec2:DescribeLaunchTemplates 201 - ec2:DescribeLaunchTemplateVersions 202 - ec2:DeleteLaunchTemplate 203 - ec2:DeleteLaunchTemplateVersions 204 - ec2:DescribeKeyPairs 205 Effect: Allow 206 Resource: 207 - '*' 208 - Action: 209 - autoscaling:CreateAutoScalingGroup 210 - autoscaling:UpdateAutoScalingGroup 211 - autoscaling:CreateOrUpdateTags 212 - autoscaling:StartInstanceRefresh 213 - autoscaling:DeleteAutoScalingGroup 214 - autoscaling:DeleteTags 215 Effect: Allow 216 Resource: 217 - arn:*:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/* 218 - Action: 219 - iam:CreateServiceLinkedRole 220 Condition: 221 StringLike: 222 iam:AWSServiceName: autoscaling.amazonaws.com 223 Effect: Allow 224 Resource: 225 - arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling 226 - Action: 227 - iam:CreateServiceLinkedRole 228 Condition: 229 StringLike: 230 iam:AWSServiceName: elasticloadbalancing.amazonaws.com 231 Effect: Allow 232 Resource: 233 - arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing 234 - Action: 235 - iam:CreateServiceLinkedRole 236 Condition: 237 StringLike: 238 iam:AWSServiceName: spot.amazonaws.com 239 Effect: Allow 240 Resource: 241 - arn:*:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot 242 - Action: 243 - iam:PassRole 244 Effect: Allow 245 Resource: 246 - arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io 247 - Action: 248 - secretsmanager:CreateSecret 249 - secretsmanager:DeleteSecret 250 - secretsmanager:TagResource 251 Effect: Allow 252 Resource: 253 - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* 254 - Action: 255 - s3:CreateBucket 256 - s3:DeleteBucket 257 - s3:PutObject 258 - s3:DeleteObject 259 - s3:PutBucketPolicy 260 Effect: Allow 261 Resource: 262 - arn:*:s3:::cluster-api-provider-aws-* 263 Version: 2012-10-17 264 Roles: 265 - Ref: AWSIAMRoleControllers 266 - Ref: AWSIAMRoleControlPlane 267 Type: AWS::IAM::ManagedPolicy 268 AWSIAMManagedPolicyControllersEKS: 269 Properties: 270 Description: For the Kubernetes Cluster API Provider AWS Controllers 271 ManagedPolicyName: controllers-eks.cluster-api-provider-aws.sigs.k8s.io 272 PolicyDocument: 273 Statement: 274 - Action: 275 - ssm:GetParameter 276 Effect: Allow 277 Resource: 278 - arn:*:ssm:*:*:parameter/aws/service/eks/optimized-ami/* 279 - Action: 280 - iam:CreateServiceLinkedRole 281 Condition: 282 StringLike: 283 iam:AWSServiceName: eks.amazonaws.com 284 Effect: Allow 285 Resource: 286 - arn:*:iam::*:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS 287 - Action: 288 - iam:CreateServiceLinkedRole 289 Condition: 290 StringLike: 291 iam:AWSServiceName: eks-nodegroup.amazonaws.com 292 Effect: Allow 293 Resource: 294 - arn:*:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup 295 - Action: 296 - iam:CreateServiceLinkedRole 297 Condition: 298 StringLike: 299 iam:AWSServiceName: eks-fargate.amazonaws.com 300 Effect: Allow 301 Resource: 302 - arn:aws:iam::*:role/aws-service-role/eks-fargate-pods.amazonaws.com/AWSServiceRoleForAmazonEKSForFargate 303 - Action: 304 - iam:GetRole 305 - iam:ListAttachedRolePolicies 306 Effect: Allow 307 Resource: 308 - arn:*:iam::*:role/* 309 - Action: 310 - iam:GetPolicy 311 Effect: Allow 312 Resource: 313 - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy 314 - Action: 315 - eks:DescribeCluster 316 - eks:ListClusters 317 - eks:CreateCluster 318 - eks:TagResource 319 - eks:UpdateClusterVersion 320 - eks:DeleteCluster 321 - eks:UpdateClusterConfig 322 - eks:UntagResource 323 - eks:UpdateNodegroupVersion 324 - eks:DescribeNodegroup 325 - eks:DeleteNodegroup 326 - eks:UpdateNodegroupConfig 327 - eks:CreateNodegroup 328 - eks:AssociateEncryptionConfig 329 - eks:ListIdentityProviderConfigs 330 - eks:AssociateIdentityProviderConfig 331 - eks:DescribeIdentityProviderConfig 332 - eks:DisassociateIdentityProviderConfig 333 Effect: Allow 334 Resource: 335 - arn:*:eks:*:*:cluster/* 336 - arn:*:eks:*:*:nodegroup/*/*/* 337 - Action: 338 - ec2:AssociateVpcCidrBlock 339 - ec2:DisassociateVpcCidrBlock 340 - eks:ListAddons 341 - eks:CreateAddon 342 - eks:DescribeAddonVersions 343 - eks:DescribeAddon 344 - eks:DeleteAddon 345 - eks:UpdateAddon 346 - eks:TagResource 347 - eks:DescribeFargateProfile 348 - eks:CreateFargateProfile 349 - eks:DeleteFargateProfile 350 Effect: Allow 351 Resource: 352 - '*' 353 - Action: 354 - iam:PassRole 355 Condition: 356 StringEquals: 357 iam:PassedToService: eks.amazonaws.com 358 Effect: Allow 359 Resource: 360 - '*' 361 - Action: 362 - kms:CreateGrant 363 - kms:DescribeKey 364 Condition: 365 ForAnyValue:StringLike: 366 kms:ResourceAliases: alias/cluster-api-provider-aws-* 367 Effect: Allow 368 Resource: 369 - '*' 370 Version: 2012-10-17 371 Roles: 372 - Ref: AWSIAMRoleControllers 373 - Ref: AWSIAMRoleControlPlane 374 Type: AWS::IAM::ManagedPolicy 375 AWSIAMRoleControlPlane: 376 Properties: 377 AssumeRolePolicyDocument: 378 Statement: 379 - Action: 380 - sts:AssumeRole 381 Effect: Allow 382 Principal: 383 Service: 384 - ec2.amazonaws.com 385 Version: 2012-10-17 386 RoleName: control-plane.cluster-api-provider-aws.sigs.k8s.io 387 Type: AWS::IAM::Role 388 AWSIAMRoleControllers: 389 Properties: 390 AssumeRolePolicyDocument: 391 Statement: 392 - Action: 393 - sts:AssumeRole 394 Effect: Allow 395 Principal: 396 Service: 397 - ec2.amazonaws.com 398 Version: 2012-10-17 399 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io 400 Type: AWS::IAM::Role 401 AWSIAMRoleEKSControlPlane: 402 Properties: 403 AssumeRolePolicyDocument: 404 Statement: 405 - Action: 406 - sts:AssumeRole 407 Effect: Allow 408 Principal: 409 Service: 410 - eks.amazonaws.com 411 Version: 2012-10-17 412 ManagedPolicyArns: 413 - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy 414 RoleName: eks-controlplane.cluster-api-provider-aws.sigs.k8s.io 415 Type: AWS::IAM::Role 416 AWSIAMRoleNodes: 417 Properties: 418 AssumeRolePolicyDocument: 419 Statement: 420 - Action: 421 - sts:AssumeRole 422 Effect: Allow 423 Principal: 424 Service: 425 - ec2.amazonaws.com 426 Version: 2012-10-17 427 ManagedPolicyArns: 428 - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy 429 - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy 430 RoleName: nodes.cluster-api-provider-aws.sigs.k8s.io 431 Type: AWS::IAM::Role