sigs.k8s.io/cluster-api-provider-aws@v1.5.5/docs/book/src/topics/iam-permissions.md

sigs.k8s.io/cluster-api-provider-aws@v1.5.5/docs/book/src/topics/iam-permissions.md (about)

     1  # IAM Permissions
     2  
     3  ## Required to use clusterawasadm to provision IAM roles via CloudFormation
     4  
     5  If using `clusterawsadm` to automate deployment of IAM roles via CloudFormation,
     6  you must have IAM administrative access as `clusterawsadm` will provision IAM
     7  roles and policies.
     8  
     9  ## Required by Cluster API Provider AWS controllers
    10  
    11  The Cluster API Provider AWS controller requires permissions to use EC2, ELB
    12  Autoscaling and optionally EKS. If provisioning IAM roles using `clusterawsadm`,
    13  these will be set up as the `controllers.cluster-api-provider-aws.sigs.k8s.io`
    14  IAM Policy, and attached to the `controllers.cluster-api-provider-aws.sigs.k8s.io`
    15  and `control-plane.cluster-api-provider-aws.sigs.k8s.io` IAM roles.
    16  
    17  ### EC2 Provisioned Kubernetes Clusters
    18  
    19  ``` json
    20  {{#include ../../../../out/AWSIAMManagedPolicyControllers.json}}
    21  ```
    22  
    23  ### With EKS Support
    24  
    25  ``` json
    26  {{#include ../../../../out/AWSIAMManagedPolicyControllersWithEKS.json}}
    27  ```
    28  
    29  ### With S3 Support
    30  ``` json
    31  {{#include ../../../../out/AWSIAMManagedPolicyControllersWithS3.json}}
    32  ```
    33  
    34  ## Required by the Kubernetes AWS Cloud Provider
    35  
    36  These permissions are used by the Kubernetes AWS Cloud Provider. If you are
    37  running with the in-tree cloud provider, this will typically be used by the
    38  `controller-manager` pod in the `kube-system` namespace.
    39  
    40  If provisioning IAM roles using `clusterawsadm`,
    41  these will be set up as the `control-plane.cluster-api-provider-aws.sigs.k8s.io`
    42  IAM Policy, and attached to the `control-plane.cluster-api-provider-aws.sigs.k8s.io`
    43  IAM role.
    44  
    45  ``` json
    46  {{#include ../../../../out/AWSIAMManagedPolicyCloudProviderControlPlane.json}}
    47  ```
    48  ## Required by all nodes
    49  
    50  All nodes require these permissions in order to run, and are used by the AWS
    51  cloud provider run by kubelet.
    52  
    53  If provisioning IAM roles using `clusterawsadm`,
    54  these will be set up as the `nodes.cluster-api-provider-aws.sigs.k8s.io`
    55  IAM Policy, and attached to the `nodes.cluster-api-provider-aws.sigs.k8s.io`
    56  IAM role.
    57  
    58  
    59  ``` json
    60  {{#include ../../../../out/AWSIAMManagedPolicyCloudProviderNodes.json}}
    61  ```
    62  
    63  When using EKS, the `AmazonEKSWorkerNodePolicy` and `AmazonEKS_CNI_Policy`
    64  AWS managed policies will also be attached to
    65  `nodes.cluster-api-provider-aws.sigs.k8s.io` IAM role.